Products
calamares-nixos-extensions
- < 0.3.17
Source
security-advisories@github.com
Tags
CVE-2024-43378 details
Last Modified : Aug. 16, 2024, 2:15 a.m.
Description
calamares-nixos-extensions provides Calamares branding and modules for NixOS, a distribution of GNU/Linux. Users who installed NixOS through the graphical installer who used manual disk partitioning to create a setup where the system was booted via legacy BIOS rather than UEFI; some disk partitions are encrypted; but the partitions containing either `/` or `/boot` are unencrypted; have their LUKS disk encryption key file in plain text either in `/crypto_keyfile.bin`, or in a CPIO archive attached to their NixOS initrd. `nixos-install` is not affected, nor are UEFI installations, nor was the default automatic partitioning configuration on legacy BIOS systems. The problem has been fixed in calamares-nixos-extensions 0.3.17, which was included in NixOS. The current installer images for the NixOS 24.05 and unstable (24.11) channels are unaffected. The fix reached 24.05 at 2024-08-13 20:06:59 UTC, and unstable at 2024-08-15 09:00:20 UTC. Installer images downloaded before those times may be vulnerable. The best solution for affected users is probably to back up their data and do a complete reinstallation. However, the mitigation procedure in GHSA-3rvf-24q2-24ww should work solely for the case where `/` is encrypted but `/boot` is not. If `/` is unencrypted, then the `/crypto_keyfile.bin` file will need to be deleted in addition to the remediation steps in the previous advisory. This issue is a partial regression of CVE-2023-36476 / GHSA-3rvf-24q2-24ww, which was more severe as it applied to the default configuration on BIOS systems.
CVSS Score
1 | 2 | 3 | 4 | 5 | 6 | 7.8 | 8 | 9 | 10 |
---|
Weakness
Weakness | Name | Description |
---|---|---|
CWE-256 | Plaintext Storage of a Password | Storing a password in plaintext may result in a system compromise. |
CVSS Data
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
Base Score
7.8
Exploitability Score
1.4
Impact Score
5.8
Base Severity
HIGH
Vector String : CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
References
URL | Source |
---|---|
https://github.com/NixOS/calamares-nixos-extensions/pull/43 | security-advisories@github.com |
https://github.com/NixOS/calamares-nixos-extensions/security/advisories/GHSA-3rvf-24q2-24ww | security-advisories@github.com |
https://github.com/NixOS/calamares-nixos-extensions/security/advisories/GHSA-vfxf-gpmj-2p25 | security-advisories@github.com |
https://github.com/NixOS/nixpkgs/pull/331607 | security-advisories@github.com |
https://github.com/NixOS/nixpkgs/pull/334252 | security-advisories@github.com |