Vulnerability Discovery and Scope
Cybersecurity researchers at Qualys have uncovered a privilege management flaw in the Linux kernel that went undetected for nine years. The vulnerability, nicknamed ssh-keysign-pwn, stems from improper privilege handling within the kernel’s __ptrace_may_access() function, a flaw introduced in November 2016. It affects default installations of major Linux distributions including Debian, Fedora, and Ubuntu.
The flaw allows an unprivileged local user to disclose sensitive system files and execute arbitrary commands with root privileges. Researchers described the exploit primitive as reliable, capable of transforming any local shell into a path to root access or sensitive credential material. The vulnerability has been assigned a CVSS score of 5.5.
Exploitation Methods and Mitigation
Successful exploitation enables attackers to access critical files such as /etc/shadow and SSH host private keys stored under /etc/ssh/*_key. The Qualys team demonstrated four distinct exploit vectors targeting the chage, ssh-keysign, pkexec, and accounts-daemon utilities to achieve arbitrary command execution as root. A proof-of-concept exploit was released following a related public kernel commit.
Security administrators are advised to apply the latest kernel updates from their respective Linux distributions without delay. For environments where immediate patching is not feasible, a temporary workaround involves setting the kernel parameter kernel.yama.ptrace_scope to 2. Experts recommend rotating SSH host keys and reviewing credentials that may have been cached in memory by set-uid processes, particularly on hosts where untrusted local users have had access during the exposure window.
Source: The Hacker News
