Cybersecurity researchers at Qualys have uncovered two critical local privilege escalation (LPE) vulnerabilities affecting openSUSE Leap 15 and SUSE Linux Enterprise 15, potentially allowing unprivileged users to escalate their privileges to root. The flaws, tracked as CVE-2025-6018 and CVE-2025-6019, are disclosed in a detailed advisory published by Qualys on June 17.
CVE-2025-6018: From Unprivileged to "allow_active" via PAM
The first flaw arises from the Pluggable Authentication Module (PAM) configuration in SUSE systems. An unprivileged local attacker who connects via SSH can exploit the pam_env module’s behavior to set environment variables—such as XDG_SEAT and XDG_VTNR—which fool the system into treating them as physical users, known in Polkit as “allow_active.”
By exploiting this, attackers can execute actions normally reserved for physical console users, such as rebooting the machine or mounting filesystems.
🔍 Proof of Concept: By adding specific variables to
~/.pam_environment, an attacker can manipulate howpam_systemdinterprets their session, effectively impersonating a local user sitting at the machine.
CVE-2025-6019: From "allow_active" to Full Root via libblockdev and udisks
Once elevated to “allow_active,” attackers can chain a second vulnerability in the udisks daemon. This service, enabled by default on many Linux distributions, uses libblockdev to manage disk operations. It mounts temporary XFS filesystems in /tmp without proper security flags like nosuid or nodev.
🧨 Exploit: Attackers can craft a malicious XFS image containing a SUID-root shell, mount it via udisks, and invoke the resize operation. This process leads to the image being mounted insecurely—allowing direct execution of the root shell and full system compromise.
Combined Threat: SSH to Root in Two Steps
While each vulnerability is severe on its own, the combination is particularly dangerous. Together, they allow any SSH-accessible user on a vulnerable SUSE machine to gain full root control without any prior privileges.
💬 "This chained exploitation path is a textbook example of how minor configuration weaknesses can snowball into critical root access," noted the Qualys team.
Broader Impact and Context
Though the vulnerabilities target SUSE systems, Qualys highlighted similar configuration patterns in Debian and Ubuntu, warning of potential future escalations if not addressed.
They also referenced related security research by Rory McNamara, Matthias Gerstner, Attila Szasz, and Pumpkin Chang, whose recent findings on Polkit and D-Bus laid groundwork for understanding the risks.
Security Recommendations
Administrators are urged to:
- Immediately apply patches released by SUSE and Red Hat.
- Disable user-supplied environment variable reading via PAM by setting
user_readenv=0. - Audit Polkit and udisks configurations, especially any that grant "allow_active" privileges.
Acknowledgments and Timeline
Qualys credited SUSE, Red Hat, and members of the Linux Distros mailing list for coordinated disclosure. The vulnerabilities were reported on May 14, 2025, and made public on June 17, 2025, following standard responsible disclosure protocols.
📎 For the full advisory and technical breakdown, visit:
https://www.qualys.com/2025/06/17/cve-2025-6018-cve-2025-6019/
Reality on the Ground will continue monitoring the implications of this advisory across enterprise and cloud deployments. For real-time updates, subscribe and follow our Security Watch series.