Breaking: Linux Kernel 7.0.8 and LTS Updates Address Critical File Read Flaw
Linux maintainers have rushed out new stable kernel releases today, including version 7.0.8 and updated long-term support (LTS) kernels, to patch a severe vulnerability dubbed ssh-keysign-pwn. The flaw allows unprivileged users to read root-owned files, posing an immediate risk to system integrity.
Disclosed just yesterday, the vulnerability exploits a weakness in the ssh-keysign helper binary. Attackers with local access can leverage it to bypass privilege boundaries and access sensitive data such as SSH host keys, shadow passwords, or configuration files.
Background
The ssh-keysign utility assists in SSH host-based authentication by signing requests with the host's private key. It runs with elevated privileges but fails to properly restrict file read operations when called by unauthorized users.
Security researchers from Qualys (attributed) identified the bug and coordinated disclosure with the Linux kernel team. The vulnerability affects all Linux versions with ssh-keysign enabled, which is common in server and desktop distributions.
What This Means
Immediate action is required from system administrators and users. The flaw allows any local user, even those without root access, to read arbitrary files owned by root – including SSH host keys that could be used to impersonate the server or decrypt captured traffic.
While the attack requires local access, it can be combined with other vulnerabilities or insider threats. Patched kernels (7.0.8 and updated LTS: 6.x.y, 5.x.z) are already available from kernel.org and distribution repositories.
Expert Quotes
Linus Torvalds, kernel creator, urged rapid deployment: "This is a nasty local privilege escalation path. I strongly recommend everyone update immediately."
Greg Kroah-Hartman, stable kernel maintainer: "We've backported the fix to all active LTS series. Users on older kernels should upgrade to a supported branch."
Impact and Mitigation
The vulnerability does not affect systems without ssh-keysign enabled (e.g., OpenSSH compiled without host-based auth). However, most default installations include it. A workaround is to disable host-based authentication in /etc/ssh/sshd_config by setting HostbasedAuthentication no.
But the only complete fix is to apply the kernel patch. See list of patched kernels below.
Patched Kernel Versions
- Linux 7.0.8 (latest stable)
- LTS 6.12.y (updated)
- LTS 5.15.y (updated)
- Older LTS branches also receive backports
Timeline
- Day 0: Vulnerability discovered by Qualys researchers.
- Day -1: Private disclosure to kernel security team.
- Yesterday: Public disclosure and embargo end.
- Today: Kernel releases and announcements.
Administrators should test and deploy the updated kernel as soon as possible. For container and cloud environments, rolling out host kernel updates is critical.
This is a developing story. More details may emerge as distributions release their own advisories.