CVE-2024-43378

Name of the Vulnerable Software and Affected Versions calamares-nixos-extensions versions prior to 0.3.17

Description The issue affects users who installed NixOS through the graphical installer using manual disk partitioning, where the system boots via legacy BIOS, some disk partitions are encrypted, but the partitions containing / or /boot are unencrypted. The LUKS disk encryption key file is stored in plain text in /crypto keyfile.bin or in a CPIO archive attached to the NixOS initrd. This problem is a partial regression of a previous issue and affects the security of the system. The estimated number of potentially affected devices is not specified.

Recommendations For calamares-nixos-extensions versions prior to 0.3.17, the best solution is to back up data and perform a complete reinstallation. As a temporary workaround, consider deleting the /crypto keyfile.bin file and following the remediation steps for the previous advisory, especially if / is unencrypted but /boot is not. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the crypto keyfile.bin file in the affected setup until the issue is resolved.