The 4th Linux kernel flaw this month can lead to stolen SSH host keys

A newly discovered vulnerability in the Linux kernel, dubbed "ssh-keysign-pwn," poses a significant security risk by allowing local users to access highly sensitive system files, including SSH host private keys and the shadow password file. This marks the fourth major Linux kernel flaw identified within a few weeks. The vulnerability exploits a flaw in the kernel’s ptrace access check, specifically in the __ptrace_may_access() function, enabling attackers to bypass normal security checks during process termination and steal file descriptors from privileged processes. The flaw was disclosed by security researchers at Qualys and has reportedly existed in various forms for approximately six years. The key exploitation vector involves OpenSSH’s ssh-keysign helper binary, which runs with elevated privileges to facilitate host-based authentication. By abusing this binary, attackers can quietly extract SSH host keys, which are critical for machine identity verification in trusted networks. Additionally, access to the shadow password file allows attackers to attempt offline password cracking, potentially compromising user credentials across multiple systems. While the vulnerability does not directly grant root access, the ability to exfiltrate SSH keys and password hashes significantly enhances an attacker’s capability for lateral movement and persistent access within compromised environments. This raises concerns about long-term security implications, especially in enterprise and cloud settings where SSH host keys underpin secure communications and automated trust relationships. A patch addressing the vulnerability has been released, but it is not yet available across all Linux distributions, leaving many systems exposed. Linus Torvalds, in his explanation of the patch, highlighted the complexity of the issue, noting that the kernel’s use of the "dumpable" flag in ptrace_may_access() was not originally intended to cover the affected cases. Until widespread patch deployment, system administrators are advised to monitor updates closely and consider additional security measures to mitigate potential exploitation.