Full Report
Cybersecurity researchers have uncovered two local privilege escalation (LPE) flaws that could be exploited to gain root privileges on machines running major Linux distributions. The vulnerabilities, discovered by Qualys, are listed below - CVE-2025-6018 - LPE from unprivileged to allow_active in SUSE 15's Pluggable Authentication Modules (PAM) CVE-2025-6019 - LPE from allow_active to root in
Analysis Summary
# Vulnerability: Chained Linux LPE: PAM Misconfiguration and Udisks Daemon Grant Root Access
## CVE Details
- CVE ID: CVE-2025-6018, CVE-2025-6019
- CVSS Score: Not explicitly provided; described as enabling full root access (Implies High/Critical)
- CWE: Weakness related to Authentication/Privilege Escalation (Specific CWE not provided in text)
## Affected Systems
- Products: SUSE Linux Enterprise 15, openSUSE Leap 15 (affected by CVE-2025-6018); Systems using `libblockdev`/`udisks` daemon (affected by CVE-2025-6019, which affects nearly all Linux distributions utilizing udisks by default).
- Versions: SUSE 15 (Pluggable Authentication Modules - PAM configuration), libblockdev components used by udisks daemon.
- Configurations: Requires an active GUI or SSH session with an unprivileged local user who can leverage the `allow_active` Polkit trust zone.
## Vulnerability Description
Two chained local privilege escalation (LPE) vulnerabilities were discovered by Qualys that allow an unprivileged local user to gain full root access.
1. **CVE-2025-6018 (PAM Flaw):** An LPE flaw exists in the PAM configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15. This allows an unprivileged local attacker to elevate their privileges to the **`allow_active`** user context, permitting them to execute Polkit actions reserved for physically present users.
2. **CVE-2025-6019 (udisks Flaw):** This vulnerability affects `libblockdev` components used by the `udisks` daemon. It allows a user already operating in the **`allow_active`** context (achieved via CVE-2025-6018) to chain this issue to gain **full root privileges** via legitimate services like udisks loop-mounts and PAM environment quirks.
## Exploitation
- Status: PoC available (Qualys developed PoC exploits for Ubuntu, Debian, Fedora, and openSUSE Leap 15).
- Complexity: Low (If the initial 'allow\_active' stage is achieved, the escalation to root is swift).
- Attack Vector: Local
## Impact
- Confidentiality: High (Full system takeover allows access to all data)
- Integrity: High (Full control over system files and configurations)
- Availability: High (Full control, potentially leading to denial of service or system modification)
## Remediation
### Patches
- Users must apply patches provided by their specific Linux distribution vendors (e.g., Debian, Ubuntu, Fedora, SUSE). Specific patch versions are not detailed in the provided text but should be sought via vendor advisories.
### Workarounds
- Modify the Polkit rule for `"org.freedesktop.udisks2.modify-device"` to explicitly require administrator authentication (`auth_admin`).
## Detection
- Indicators of compromise: Unusually elevated privilege escalations reported by auditing tools transitioning a standard user to root, especially following D-Bus or Polkit interactions involving `udisks2`.
- Detection methods and tools: Standard system auditing (auditd) monitoring for unexpected privilege changes associated with Polkit actions or service calls made by unprivileged users to `udisks` components.
## References
- Vendor advisories (Must be checked by specific distributors like Red Hat/SUSE, Debian, etc.)
- Relevant links - defanged:
- Primary finding source: hxxps://www.openwall.com/lists/oss-security/2025/06/17/4
- Qualys research blog: hxxps://blog.qualys.com/vulnerabilities-threat-research/2025/06/17/qualys-tru-uncovers-chained-lpe-suse-15-pam-to-full-root-via-libblockdev-udisks
- Original article source: hxxps://thehackernews.com/2025/06/new-linux-flaws-enable-full-root-access.html