Securing Your System: How to Patch the ssh-keysign Vulnerability with a Kernel Update

Overview

The ssh-keysign vulnerability (CVE-2023-48795) allows an unprivileged local attacker to read root-owned files by exploiting a race condition in the kernel's handling of setuid binaries. This critical security flaw affects all major Linux distributions. The latest stable and LTS kernel releases (including version 7.0.8 and updated LTS branches) include patches that close this attack vector. This guide walks you through identifying if you're at risk, updating your kernel, and confirming the fix is in place.

Securing Your System: How to Patch the ssh-keysign Vulnerability with a Kernel Update

Prerequisites

Root or sudo access – Most kernel updates require administrative privileges.
Knowledge of your distribution – Commands differ for Debian/Ubuntu, Fedora/RHEL, Arch, etc.
Backup – Though rare, kernel updates can occasionally cause boot issues. Back up critical data.
Internet connection – To download updated packages.

Step-by-Step Instructions

1. Check Your Current Kernel Version

Run the following command to see your running kernel:

uname -r

If the output is older than 5.15.150 (for LTS) or 6.1.70 (for stable), you likely need an update. The patched versions are 6.1.71+, 5.15.151+, 5.10.204+, 5.4.256+, 4.19.300+, and 4.14.324+ (or the distro-specific equivalent).

2. Update Package Repositories

Refresh your package lists to get the latest kernel metadata.

Debian/Ubuntu:
sudo apt update
Fedora/RHEL/CentOS:
sudo dnf check-update (or sudo yum check-update)
Arch Linux:
sudo pacman -Sy

3. Install the Patched Kernel

The following commands upgrade your kernel to the latest version available in the repositories.

Debian/Ubuntu:
sudo apt upgrade linux-image-generic linux-headers-generic
Note: On some systems, you may need to specify the exact meta-package (e.g., linux-image-5.15.0-91-generic).
Fedora/RHEL/CentOS:
sudo dnf upgrade kernel
(Or sudo yum update kernel)
Arch Linux:
sudo pacman -S linux linux-headers

4. Reboot the System

After the installation completes, reboot to load the new kernel:

sudo reboot

5. Verify the Kernel Update

After reboot, check the version again:

uname -r

Ensure it matches one of the patched versions listed above. Additionally, you can test that the vulnerability is fixed by attempting the exploit (if you have a test environment). For a quick sanity check, run:

ls -l /proc/sys/kernel/grsecurity

This file may not exist; a more reliable check is to ensure your kernel version is in the safe list.

6. (Optional) Remove Old Kernels

To free disk space, consider removing unused kernel images.

Debian/Ubuntu:
sudo apt autoremove
Fedora/RHEL:
sudo dnf remove $(dnf repoquery --installonly --latest-limit=-1 -q)
Arch:
sudo pacman -Rdd $(pacman -Qdtq | grep linux)
(Careful: keep at least one fallback kernel.)

Common Mistakes

Forgetting to reboot – The new kernel only takes effect after a restart. Running uname -r still shows the old version.
Not updating all kernel packages – Some systems separate linux-image, linux-headers, and linux-modules. Install all.
Ignoring GRUB configuration – If you manually edited GRUB, the new kernel might not appear as default. Run sudo update-grub after kernel installation.
Missing firmware updates – New kernels sometimes require updated firmware. On Ubuntu, sudo apt upgrade linux-firmware is recommended.
Assuming all distros use the same kernel version – Distros backport fixes; check your distro's security advisory for the exact package version that fixes ssh-keysign.

Summary

The ssh-keysign vulnerability poses a serious risk by allowing local privilege escalation through file reads. By updating your Linux kernel to a patched version (6.1.71+, 5.15.151+, etc.), you close this attack vector. The process involves checking your current kernel, updating package repositories, installing the updated kernel, rebooting, and verifying. Common pitfalls include skipping the reboot and failing to update all components. Always consult your distribution's official security announcements for the exact package identifiers.

Tags: