Serious Vulnerabilities Found in Linux PAM: What You Need to Know

Cybersecurity researchers have identified significant local privilege escalation (LPE) vulnerabilities that pose a serious risk to users of popular Linux distributions. These flaws, discovered by the team at Qualys, could allow unauthorized individuals to gain root privileges and fully control affected systems.

Overview of the Vulnerabilities

The recent research has revealed two key vulnerabilities:

1. CVE-2025-6018: This vulnerability affects SUSE 15’s Pluggable Authentication Modules (PAM) by allowing an unprivileged user to escalate their rights to the "allow_active" user level.

2. CVE-2025-6019: This issue pertains to libblockdev and can be exploited through the udisks daemon, converting an "allow_active" user to full root privileges.

As Saeed Abbasi, Senior Manager at the Qualys Threat Research Unit, noted, the emergence of these vulnerabilities effectively diminishes the separation between regular user access and obtaining full system control.

Impact of the Vulnerabilities

The potential severity of these vulnerabilities is substantial. With a successful exploit, an attacker with access to a graphical user interface (GUI) or an SSH session could bypass existing security measures, leveraging the flaws to gain root access in a matter of seconds.

CVE-2025-6018 exists within the PAM configuration and affects both openSUSE Leap 15 and SUSE Linux Enterprise 15 installations. Attackers could exploit this vulnerability to perform Polkit actions intended for users with physical system access.

Meanwhile, CVE-2025-6019 facilitates further escalation from the "allow_active" level to root access through exploits in the popular udisks daemon, which is installed by default on a wide variety of Linux distributions.

Vulnerability Scope

Qualys emphasizes that the nature of udisks makes nearly all Linux systems potentially vulnerable. Even though gaining "allow_active" access typically requires specific permissions, the PAM configuration flaw noted effectively removes that barrier. This underscores the critical need for users to stay informed and proactive about securing their systems.

When attackers achieve root privileges, they can execute a range of malicious activities that could compromise the integrity of the entire system. This includes the ability to alter security configurations and implant backdoors for stealthy, ongoing access.

Qualys has produced proof-of-concept (PoC) code to demonstrate these vulnerabilities across various operating systems, including popular distributions like Ubuntu, Debian, and Fedora.

Recommended Mitigations

To counter the threats posed by these vulnerabilities, users are urged to implement patches as soon as they are available from their respective Linux distribution vendors.

As an interim measure, users can edit the Polkit rule for "org.freedesktop.udisks2.modify-device" to demand administrator authentication for modifications, enhancing the immediate security posture of vulnerable systems.

Additional PAM Vulnerability

The disclosure of these two vulnerabilities coincides with another high-severity flaw in Linux PAM, identified as CVE-2025-6020. This vulnerability has a CVSS score of 7.8 and could similarly allow local users to elevate their privileges to root.

The vulnerability in PAM was addressed in version 1.7.1. According to Dmitry V. Levin, a maintainer of Linux PAM, the module pam_namespace (versions <= 1.7.0) does not adequately protect user-controlled paths. This oversight could enable privilege escalation through a series of symlink attacks and race conditions.

For systems utilizing pam_namespace to set up polyinstantiated directories that are user-controlled, it’s crucial to either disable this module or ensure it does not interact with vulnerable paths to mitigate the risk.

Conclusion

As cybersecurity continues to evolve, the discovery of these vulnerabilities in Linux PAM serves as a poignant reminder for users to stay vigilant about security practices. Regular updates and prompt application of security patches are essential steps in maintaining the integrity of systems against evolving threats. With the rapid pace of technological advancement, staying informed about vulnerabilities is not just advisable but crucial for protecting sensitive information and system functionality.