CVE-2024-45004: 
Linux Debian vulnerability analysis and mitigation

A vulnerability in the Linux kernel's trusted key system has been identified as CVE-2024-45004. The issue affects the DCP-based trusted keys functionality, where the blob encryption key (BEK) is exposed in plain text during key operations. This vulnerability was discovered in Linux kernel versions 6.10 and above, and has been resolved through a security patch (Kernel Patch).

The vulnerability occurs when DCP-based trusted keys decrypt the blob encryption key (BEK) in the kernel due to hardware limitations. The BEK decryption is performed in-place, which modifies the trusted key blob field and leaves the BEK in plain text. As a result, subsequent read operations (exports) send the plain text BEK to userspace instead of the encrypted version. The issue specifically manifests when importing a trusted DCP-based key and then exporting it again. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability leads to the exposure of sensitive key material (the blob encryption key) in plain text to userspace. This could potentially allow local attackers with appropriate privileges to access cryptographic keys that should remain encrypted, compromising the security of the trusted key system (Kernel Patch).

The vulnerability has been fixed by modifying the key handling process to perform BEK decryption and encryption in a dedicated buffer, rather than in-place. Additionally, the fix includes wiping the plain text BEK buffer to prevent leaking the key via uninitialized memory. Users should update to the patched version of the Linux kernel (Kernel Patch).