Hi all.
I am wondering if anybody has already seen the following vulnerability:
I tested it briefly on an RL 9.7 (kernel 5.14.0-611.54.1.el9_7) and I was able, as unprivileged user, to extract the SSH host key (the private part) from under /etc/ssh.
I am not sure if in this case there are mitigation available either, since the exploit is relying on ptrace.
Is there anybody looking into it already?
Best regards,
Matteo
Yeah, we’re looking into it. We’re still working on getting the fix out for Fragnesia in the new security repo, so this is one more fix to add on to it.
As a quick fix/workaround (which may also hampers any workflow that rely on ptrace):
sysctl kernel.yama.ptrace_scope=2
For whoever is running systems opened to user’s access (AKA: ssh bastion hosts, HPC clusters of any size), this vulnerability is quite serious (on the level of the previous two, I would say).
Note that setting this to anything except zero will break programs!
Indeed and that’s why I wrote that the mitigation may hampers quite some workflows but in our case, running a multi-user system with hundreds of users running jobs, there was no other easy workaround that we could have applied in less than an hour after we received this notification (15/05 10:30 AM CEST).
We tested the behavior on our systems after the mitigation: debugging may certainly seriously be affected (in some way) and some other cases as well but currently the side effects are reasonable enough to live with (until a patched kernel arrives).