CVE-2023-36476: 
NixOS vulnerability analysis and mitigation

calamares-nixos-extensions, which provides Calamares branding and modules for NixOS (a distribution of GNU/Linux), was found to contain a security vulnerability affecting version 0.3.12 and prior. The vulnerability was discovered in June 2023 and involves the exposure of LUKS encryption key files in plaintext format. Users who installed NixOS through the graphical calamares installer, with an unencrypted /boot, on either non-UEFI systems or with a LUKS partition different from / were affected (GitHub Advisory).

The vulnerability exposes LUKS disk encryption key files in /boot as a plaintext CPIO archive attached to the NixOS initrd. The issue has been assigned CVE-2023-36476 and received a CVSS v3.1 base score of 7.9 (HIGH) with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N. The vulnerability is classified under CWE-522 (Insufficiently Protected Credentials) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The vulnerability exposes LUKS encryption key files in plaintext, potentially allowing unauthorized access to encrypted partitions. This affects systems installed through the graphical installer with specific configurations, particularly those with unencrypted /boot partitions. The exposure of these encryption keys could compromise the confidentiality of data stored in encrypted partitions (GitHub Advisory).

A patch has been released in version 0.3.13 of calamares-nixos-extensions. For affected users, a workaround involves rebooting with a trusted NixOS live environment, mounting the rootfs and LUKS devices, backing up valuable data, performing a re-encryption procedure using cryptsetup reencrypt, removing mentions of boot.initrd.secrets."crypto_keyfile.bin" from the NixOS configuration, and rebuilding the system. The fix has been implemented in commit 837ca4d (GitHub Patch).