Uncovering a Chain of Escalated Local Privilege Exposure: Attaining Root Access in SUSE 15 via PAM and libblockdev/udisks by Qualys TRU.
In a recent discovery by the Qualys Threat Research Unit (TRU), two linked local privilege escalation (LPE) flaws have been found in openSUSE Leap 15 and SUSE Linux Enterprise 15. These vulnerabilities, identified as CVE-2025-6018 and CVE-2025-6019, pose a significant threat to Linux systems.
The first vulnerability, CVE-2025-6018, is found in the PAM configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15. This flaw allows an unprivileged local attacker to elevate to the 'allow_active' user and invoke polkit actions, potentially granting access to certain system operations.
On the other hand, the second vulnerability, CVE-2025-6019, affects libblockdev and is exploitable via the udisks daemon. It allows an 'allow_active' user to gain full root privileges, a severe escalation of access.
These vulnerabilities can have serious consequences, including the silent unloading of Endpoint Detection and Response (EDR) agents, the implantation of kernel-level backdoors, and the rewriting of system configurations that survive reboots.
The technical details of these vulnerabilities can be found at https://www.oursocials.com/2025/06/17/suse15-pam-udisks-lpe.txt.
To mitigate the libblockdev/udisks vulnerability, the policy for the 'org.freedesktop.udisks2.modify-device' action should be changed to require administrator authentication. For the PAM vulnerability, patching both PAM and libblockdev/udisks everywhere is recommended.
Qualys VMDR, in combination with TruRisk and the Qualys Query Language (QQL), can be used to efficiently identify and prioritize vulnerable assets. Organizations can leverage Qualys VMDR to rapidly respond to, prioritize, and address associated risks.
It is important to note that chaining CVE-2025-6018 with CVE-2025-6019 enables a purely unprivileged attacker to achieve full root access. Linux distributions using affected versions of the Linux kernel prior to the patches released in 2025, including popular distributions like Ubuntu, Debian, Fedora, and CentOS, are particularly vulnerable.
Qualys will release QIDs for these vulnerabilities as they become available. Always prioritize patches and follow specific instructions from your Linux distribution vendor's advisory.
These flaws are significant as they are ubiquitous and require minimal effort for an attacker to exploit. Chaining these vulnerabilities allows any SSH user on SUSE 15/Leap 15 to escalate from 'normal' to root.
Links to patches for the vulnerabilities can be found at https://www.openwall.com/lists/oss-security/2025/06/17/5.
Stay vigilant and prioritize system security to protect your fleet from these threats.
Read also:
- List of 2025's Billionaire Video Game Moguls Ranked by Fortune
- Dynamic exchange of power and data is shaping the network of tomorrow
- Italy passes legislation regulating AI, focusing on privacy protection, supervision, and safeguards for minors
- Enhanced Technologies for Privacy in Data Transmission and Network Sharing
