Overview
The ssh-keysign vulnerability (CVE-2023-48795) allows an unprivileged local attacker to read root-owned files by exploiting a race condition in the kernel's handling of setuid binaries. This critical security flaw affects all major Linux distributions. The latest stable and LTS kernel releases (including version 7.0.8 and updated LTS branches) include patches that close this attack vector. This guide walks you through identifying if you're at risk, updating your kernel, and confirming the fix is in place.
Prerequisites
- Root or sudo access – Most kernel updates require administrative privileges.
- Knowledge of your distribution – Commands differ for Debian/Ubuntu, Fedora/RHEL, Arch, etc.
- Backup – Though rare, kernel updates can occasionally cause boot issues. Back up critical data.
- Internet connection – To download updated packages.
Step-by-Step Instructions
1. Check Your Current Kernel Version
Run the following command to see your running kernel:
uname -rIf the output is older than 5.15.150 (for LTS) or 6.1.70 (for stable), you likely need an update. The patched versions are 6.1.71+, 5.15.151+, 5.10.204+, 5.4.256+, 4.19.300+, and 4.14.324+ (or the distro-specific equivalent).
2. Update Package Repositories
Refresh your package lists to get the latest kernel metadata.
- Debian/Ubuntu:
sudo apt update - Fedora/RHEL/CentOS:
sudo dnf check-update(orsudo yum check-update) - Arch Linux:
sudo pacman -Sy
3. Install the Patched Kernel
The following commands upgrade your kernel to the latest version available in the repositories.
- Debian/Ubuntu:
sudo apt upgrade linux-image-generic linux-headers-generic
Note: On some systems, you may need to specify the exact meta-package (e.g.,linux-image-5.15.0-91-generic). - Fedora/RHEL/CentOS:
sudo dnf upgrade kernel
(Orsudo yum update kernel) - Arch Linux:
sudo pacman -S linux linux-headers
4. Reboot the System
After the installation completes, reboot to load the new kernel:
sudo reboot5. Verify the Kernel Update
After reboot, check the version again:
uname -rEnsure it matches one of the patched versions listed above. Additionally, you can test that the vulnerability is fixed by attempting the exploit (if you have a test environment). For a quick sanity check, run:
ls -l /proc/sys/kernel/grsecurityThis file may not exist; a more reliable check is to ensure your kernel version is in the safe list.
6. (Optional) Remove Old Kernels
To free disk space, consider removing unused kernel images.
- Debian/Ubuntu:
sudo apt autoremove - Fedora/RHEL:
sudo dnf remove $(dnf repoquery --installonly --latest-limit=-1 -q) - Arch:
sudo pacman -Rdd $(pacman -Qdtq | grep linux)
(Careful: keep at least one fallback kernel.)
Common Mistakes
- Forgetting to reboot – The new kernel only takes effect after a restart. Running
uname -rstill shows the old version. - Not updating all kernel packages – Some systems separate
linux-image,linux-headers, andlinux-modules. Install all. - Ignoring GRUB configuration – If you manually edited GRUB, the new kernel might not appear as default. Run
sudo update-grubafter kernel installation. - Missing firmware updates – New kernels sometimes require updated firmware. On Ubuntu,
sudo apt upgrade linux-firmwareis recommended. - Assuming all distros use the same kernel version – Distros backport fixes; check your distro's security advisory for the exact package version that fixes ssh-keysign.
Summary
The ssh-keysign vulnerability poses a serious risk by allowing local privilege escalation through file reads. By updating your Linux kernel to a patched version (6.1.71+, 5.15.151+, etc.), you close this attack vector. The process involves checking your current kernel, updating package repositories, installing the updated kernel, rebooting, and verifying. Common pitfalls include skipping the reboot and failing to update all components. Always consult your distribution's official security announcements for the exact package identifiers.