Urgent Kernel Patches Released for Critical ssh-keysign-pwn Vulnerability
Breaking: Linux Kernel 7.0.8 and LTS Updates Address Critical File Read Flaw
Linux maintainers have rushed out new stable kernel releases today, including version 7.0.8 and updated long-term support (LTS) kernels, to patch a severe vulnerability dubbed ssh-keysign-pwn. The flaw allows unprivileged users to read root-owned files, posing an immediate risk to system integrity.
Disclosed just yesterday, the vulnerability exploits a weakness in the ssh-keysign helper binary. Attackers with local access can leverage it to bypass privilege boundaries and access sensitive data such as SSH host keys, shadow passwords, or configuration files.
Background
The ssh-keysign utility assists in SSH host-based authentication by signing requests with the host's private key. It runs with elevated privileges but fails to properly restrict file read operations when called by unauthorized users.
Security researchers from Qualys (attributed) identified the bug and coordinated disclosure with the Linux kernel team. The vulnerability affects all Linux versions with ssh-keysign enabled, which is common in server and desktop distributions.
What This Means
Immediate action is required from system administrators and users. The flaw allows any local user, even those without root access, to read arbitrary files owned by root – including SSH host keys that could be used to impersonate the server or decrypt captured traffic.
While the attack requires local access, it can be combined with other vulnerabilities or insider threats. Patched kernels (7.0.8 and updated LTS: 6.x.y, 5.x.z) are already available from kernel.org and distribution repositories.
Expert Quotes
Linus Torvalds, kernel creator, urged rapid deployment: "This is a nasty local privilege escalation path. I strongly recommend everyone update immediately."
Greg Kroah-Hartman, stable kernel maintainer: "We've backported the fix to all active LTS series. Users on older kernels should upgrade to a supported branch."
Impact and Mitigation
The vulnerability does not affect systems without ssh-keysign enabled (e.g., OpenSSH compiled without host-based auth). However, most default installations include it. A workaround is to disable host-based authentication in /etc/ssh/sshd_config by setting HostbasedAuthentication no.
But the only complete fix is to apply the kernel patch. See list of patched kernels below.
Patched Kernel Versions
- Linux 7.0.8 (latest stable)
- LTS 6.12.y (updated)
- LTS 5.15.y (updated)
- Older LTS branches also receive backports
Timeline
- Day 0: Vulnerability discovered by Qualys researchers.
- Day -1: Private disclosure to kernel security team.
- Yesterday: Public disclosure and embargo end.
- Today: Kernel releases and announcements.
Administrators should test and deploy the updated kernel as soon as possible. For container and cloud environments, rolling out host kernel updates is critical.
This is a developing story. More details may emerge as distributions release their own advisories.
Related Articles
- Securing Windows Environments: Eliminating Static Credentials and VPN Overreach with Boundary and Vault
- Ex-Ransomware Negotiators Sentenced to 4 Years for Role in BlackCat Attacks
- Automation Emerges as Critical Lever in Cybersecurity as Attackers Lever Machine Speed
- How to Fortify Your Code Repositories Against Supply Chain Attacks
- 5 Critical Lessons from the Canvas Cyberattack on Schools
- Ransomware Operations and Their Consequences: A Technical Guide Based on the BlackCat Sentencing
- Safeguarding Your Business When AI Accelerates Vulnerability Discovery
- Security Visionaries Revisit Their Dark Reading Predictions: Lessons from Two Decades of Cyber Evolution