A security vulnerability has been identified by the Qualys Threat Research Unit (TRU), revealing a chain of local privilege escalation (LPE) flaws that could allow an unprivileged attacker to gain full root access on SUSE Linux Enterprise 15, openSUSE Leap 15, and potentially other Linux distributions. This discovery poses a critical risk, demanding immediate attention from system administrators and users.
Key Points of the Vulnerability
The research uncovered two interconnected vulnerabilities:
- CVE-2025-6018: A misconfiguration within the Pluggable Authentication Modules (PAM) of openSUSE Leap 15 and SUSE Linux Enterprise 15. This flaw incorrectly treats remote SSH sessions as if the user were physically present, granting unauthorized access to critical polkit operations.
- CVE-2025-6019: A vulnerability in libblockdev, which can be exploited through the udisks daemon. This flaw allows any user within the “allow_active” context to escalate their privileges directly to root.
By chaining these two vulnerabilities, an attacker can move from an unprivileged state to complete control over a compromised system.
User Impact:
Grave Consequences for Compromised Systems. The implications of this vulnerability are severe. With full root access, attackers can:
- Disable Security: Unload Endpoint Detection and Response (EDR) agents, effectively blinding security teams.
- Persistent Access: Implant kernel-level backdoors for long-term access and control.
- System Tampering: Rewrite critical system configurations, potentially leading to system instability or further compromise.
- Lateral Movement: Utilize compromised servers as launching pads for attacks on other systems within the network.
The fact that udisks is a default component on nearly all Linux distributions makes this a universal and critical risk. A single compromised system running vulnerable default server packages could quickly lead to a widespread compromise across an entire fleet of machines.
Check Proof Of Concept (POC) here
Important Remediation Steps
Organizations and individual users are urged to deploy patches without delay.
- Patch Availability: Patches are available through the official channels.
- For openSUSE/SLE 15, refer to the security announcement on Openwall Lists.
- Immediate Mitigation: As an interim measure, administrators can modify the polkit rule for “org.freedesktop.udisks2.modify-device.” Change the allow_active setting from yes to auth_admin to restrict unauthorized access to udisks operations.
This vulnerability underscores the importance of timely patching and proactive security measures to protect Linux-based systems from sophisticated attacks.
