Full Report
Two critical Linux flaws allow unprivileged users to gain root access, affecting major distributions
Analysis Summary
# Vulnerability: Linux Privilege Escalation Chain Allowing Local Root Access
## CVE Details
- CVE ID: CVE-2025-6018, CVE-2025-6019
- CVSS Score: *Not explicitly provided, but implied to be critical due to root access achievement.*
- CWE: [Not explicitly provided, but likely related to Improper Access Control or Misconfiguration for both]
## Affected Systems
- Products: Linux (Various distributions using affected PAM configuration and libblockdev/udisks)
- Versions: openSUSE Leap 15, SUSE Linux Enterprise 15 (specifically impacted by CVE-2025-6018 PAM misconfiguration).
- Configurations: Any system where a local user has an SSH login and the specified PAM settings are active, combined with a default installation of `udisks` relying on `libblockdev`.
## Vulnerability Description
This summary details an exploit chain combining two related flaws to elevate an unprivileged local user to **root access**:
1. **CVE-2025-6018 (PAM Misconfiguration):** A flaw in the PAM configuration on openSUSE/SUSE systems that incorrectly sets the session status to `allow_active` even for remote logins (like SSH). The `allow_active` status typically grants privileged operations usually reserved for physically present users.
2. **CVE-2025-6019 (libblockdev/udisks flaw):** Once a local user achieves `allow_active` status via the PAM issue, this second vulnerability in `libblockdev`, accessible via the default `udisks` daemon, can be triggered to grant full **root access**.
## Exploitation
- Status: PoC available (Implied by discussion of exploit chain; the article describes a low-effort path).
- Complexity: Low (Requires only a working SSH login).
- Attack Vector: Local (Leverages an existing local authenticated session).
## Impact
- Confidentiality: High (Root access allows reading all system files).
- Integrity: High (Root access allows modification or destruction of any data/system files).
- Availability: High (Root access allows system shutdown or compromise).
## Remediation
### Patches
- Specific patch information (e.g., fixed package versions) is not detailed in the provided text, but users must apply updates released by SUSE/openSUSE for the affected components (PAM configuration, `libblockdev`, and `udisks`).
### Workarounds
- Restrict or audit PAM configurations related to the `allow_active` setting if direct patching is not immediately possible.
- Restrict SSH access to only essential users until updates are applied.
## Detection
- Indicators of compromise: Look for unusual interactions with storage management services (`udisks` or related daemons) originating from unprivileged user sessions, particularly those logged in remotely via SSH.
- Detection methods and tools: Traditional IDS/IPS monitoring for suspicious administrative activity originating from non-root users. Security monitoring tools should flag the elevation of privileges post-SSH login.
## References
- Vendor advisories: SUSE/openSUSE security advisories addressing CVE-2025-6018 and CVE-2025-6019.
- Relevant links:
- *infosecurity-magazine.com/news/linux-flaws-allowing-root-access/* (defanged)
- *qualys.com* (Mentioned vendor, implies their advisory may contain details - defanged)