CVE-2024-45004 is a vulnerability identified in the Linux kernel's trusted keys subsystem, specifically affecting the handling of DCP-based trusted keys. Trusted keys are used to securely manage cryptographic keys within the kernel, allowing keys to be sealed and unsealed securely. The vulnerability arises from the way the blob encryption key (BEK) is decrypted and handled in memory. When a trusted DCP-based key is imported, the kernel decrypts the BEK in-place within the trusted key blob field. This in-place decryption modifies the blob field to hold the BEK in plaintext. Consequently, any subsequent export or read operation of the key blob sends the plaintext BEK to userspace instead of the encrypted version. This leakage of the BEK compromises the confidentiality of the key material, potentially allowing an attacker with access to the exported key blob to retrieve sensitive encryption keys. The issue occurs only in the specific scenario where a trusted DCP-based key is imported and then exported again, which is considered a rare use case since typical workflows involve either creating and exporting a new trusted key or importing a key blob for direct use without re-exporting. The fix involves performing BEK decryption and encryption operations in a dedicated buffer separate from the original blob field, preventing the plaintext key from residing in the blob field. Additionally, the plaintext buffer is securely wiped after use to prevent leakage via uninitialized memory. No known exploits are reported in the wild, and the vulnerability was published on September 4, 2024. No CVSS score has been assigned yet.

For European organizations, this vulnerability poses a risk primarily to systems running affected versions of the Linux kernel that utilize trusted keys with DCP-based encryption. The leakage of the blob encryption key undermines the confidentiality of cryptographic keys managed by the kernel, potentially allowing attackers with local or limited access to extract sensitive key material. This could lead to unauthorized decryption of protected data or compromise of secure communications relying on these keys. Although exploitation requires the ability to import and then export trusted keys, which is a less common operation, environments that perform key management or cryptographic operations at the kernel level could be at risk. This includes cloud service providers, data centers, and enterprises using Linux-based cryptographic modules or hardware security modules integrated with the kernel. The impact on confidentiality is high, while integrity and availability impacts are minimal. Given the kernel-level nature of the vulnerability, successful exploitation could facilitate further attacks or privilege escalation if combined with other vulnerabilities. European organizations with stringent data protection regulations (e.g., GDPR) must consider the risk of key leakage as a serious compliance and security concern.

European organizations should promptly update their Linux kernel to versions that include the patch for CVE-2024-45004 once available from their distribution vendors. Until patches are applied, organizations should audit and restrict operations involving importing and exporting trusted DCP-based keys, limiting such actions to trusted administrators only. Monitoring and logging of key management operations should be enhanced to detect unusual import/export activities. Additionally, organizations should review their cryptographic key management policies to ensure minimal exposure of keys and avoid unnecessary key exports. For environments using hardware security modules or trusted platform modules integrated with Linux, verify firmware and driver updates that address this vulnerability. Employ kernel hardening techniques and restrict user privileges to reduce the risk of unauthorized key export. Finally, conduct security assessments to identify any potential leakage of keys and rotate affected keys if compromise is suspected.