Cybersecurity researchers have discovered two local privilege escalation (LPE) flaws that can be exploited to gain root privileges on machines running major Linux distributions.
The vulnerabilities discovered by qualys are listed below –
CVE-2025-6018-Suse 15 Plugable Authentication Module (PAM) CVE-2025-6019 to lpe_active in libblockdev to root lpe_active in libblockdev
“These modern ‘local to root’ exploits have broken the gap between normal logged in users and full system acquisitions,” says Saeed Abbasi, senior manager at Qualys Threat Research Unit (TRU).
“By checking for legitimate services such as Udisks Loop-Mounts and PAM/Environment Quirks, attackers who own active GUI or SSH sessions can appear as root in seconds, past Polkit’s Allow_active Trust Zone.”
Cybersecurity companies say that CVE-2025-6018 exists in PAM configurations for OpenSuse Leap 15 and Suse Linux Enterprise 15, allowing special local attackers to be promoted to “Allow_active” users reserved for users with physical presence and can invoke the Polkit action.
Meanwhile, CVE-2025-6019 affects LibblockDev and is exploitable via the UDISKS daemon, which is included by default in most Linux distributions. Essentially, “Allow_Active” users can obtain full route privileges by chaining on CVE-2025-6018.
“Nominally requires the ‘Allow_active’ privilege, but Udisks ships by default to almost all Linux distributions, so almost every system is vulnerable,” Abbasi added. “The techniques for obtaining “Allow_active” including the PAM issues disclosed here further denies that barrier. ”
Once route privileges are obtained, attackers have Cult Blanche access to the system, allowing them to be used as a springboard for a wider range of Compremise actions, including changing security controls and embedding backdoors for secret access.
Qualys said it has developed a proof of concept (POC) exploit to check the existence of these vulnerabilities in a variety of operating systems, including Ubuntu, Debian, Fedora and Opensuse Leap 15.
To mitigate the risks posed by these defects, it is essential to apply patches provided by Linux distribution vendors. As a temporary workaround, the user changes the polkit rule for “org.freedesktop.udisks2.modify-device” to request administrator authentication (“auth_admin”).
Defects disclosed in Linux Pam
This disclosure comes when Linux PAM maintainers resolve high-strength past traversal defects (CVE-2025-6020, CVSS score: 7.8) that could allow local users to escalate to root their privileges. This issue has been fixed in version 1.7.1.
“The Linux-PAM module PAM_NamesPace <= 1.7.0 allows access to user-controlled paths without proper protection. This allows local users to increase their privileges through multiple Symlink attacks and racial conditions."
Linux systems are vulnerable when using pam_namespace to set up Polyinantiated Directories with a path to a Polyinantiated Directory or Instance directory under user control. As a workaround for CVE-2025-6020, users can disable PAM_NamesPace or confirm that it does not work with user-controlled paths.
Olivier Bal-Petre of Anssi, who reported the defect to the maintainer on January 29, 2025, said that users should also update their names. If you are using what was provided by the distribution to allow one of the two paths to be safely manipulated as root, you need to write a script.
Source link
