Multiple Local Privilege Chain Flaws in PAM and udisks/libblockdev Enable Root Access on Major Linux Distributions

Advisory ID: NCC-CSIRT-2025-007

Summary: 

Qualys Threat Research Unit (TRU) recently discovered two interconnected Local Privilege Escalation (LPE) vulnerabilities affecting many mainstream Linux distributions. The issues, tracked as CVE‑2025‑6018 and CVE‑2025‑6019, enable unprivileged users to escalate privileges to root, with CVE‑6019 alone being sufficient to compromise systems with minimal user permissions. 

Damage/Probability: HIGH/Critical

Product(s): 

• openSUSE, SUSE Linux

• Ubuntui

• Debian

• Fedora

• Arch Linux 

Version(s): 

• openSUSE Leap 15, SUSE Linux Enterprise 15 (CVE‑6018 & CVE‑6019 chain)

• Ubuntu (22.04, 24.04 LTS)

• Debian 12 (Bookworm)

• Fedora 39/40

• Arch Linux Rolling‑release distros using udisks2

• Any other Linux systems deploying unpatched versions of libblockdev/udisks2

Platform(s): Linux OS

Description: 

The reported vulnerability involves a local privilege escalation flaw in the udisks2 service, specifically within its libblockdev component. Identified as CVE‑2025‑6019, the flaw allows a local, unprivileged user to gain root access by exploiting insecure handling of device mount operations via the D-Bus interface.

On affected systems, attackers can manipulate mount paths and symbolic links to overwrite or execute files as root. When combined with a second flaw (CVE‑2025‑6018) found in the PAM configuration of SUSE-based distributions, the attack chain becomes easier by automatically granting certain users elevated privileges (marked as active).

The flaw affects multiple Linux distributions, including Ubuntu, Debian, Fedora, and openSUSE. The exploitation requires only local access and standard tools like udisksctl, making it low-complexity but high-impact.. 

Consequences:  

• A complete local-to-root exploit chain exists, combining both CVEs to achieve full system compromise.

• CVE‑2025‑6019 alone is exploitable on multiple major distributions, including Ubuntu, Debian, Fedora, and openSUSE Leap 15, even without leveraging CVE‑6018.

• Recovery from root compromise includes potential for system-wide backdoors, agent tampering, persistence mechanisms, and lateral movement across networks.

Solution: 

1. Immediate Patching

• Apply vendor updates for both PAM (for SUSE) and libblockdev/udisks2 across all distributions.

• Confirm that CVE‑2025‑6019 is patched—even on systems using older versions of udisks2

   2. Access Restriction Controls

• Restrict or tightly control D‑Bus access to udisks2.

• On shared or multi-user systems, constrain which users can mount or manage devices.

  3. Security Policy Reinforcement

• Reinforce D‑Bus interactions using AppArmor or SELinux to limit udisks2

• Temporarily disable udisks2 on systems that do not require dynamic device management.

  4. Proactive Monitoring

• Log and inspect all udisksctl invocations and D‑Bus activity related to storage management.

• Look for anomalous mount operations, symlink manipulations, or unexpected processes invoking udisks2.

  5. Patch Chain Dependencies

• Particularly for SUSE-based systems, patch PAM appropriately to prevent exploitation of CVE‑6018 before CVE‑6019 is leveraged.

References: 

• https://www.bleepingcomputer.com/news/linux/new-linux-udisks-flaw-lets-attackers-get-root-on-major-linux-distros/

• https://www.infosecurity-magazine.com/news/linux-flaws-allowing-root-access/

• https://cyberpress.org/privilege-escalation-vulnerabilities/

• https://securityonline.info/critical-linux-root-exploit-chain-discovered-in-pam-udisks-affecting-major-distros/

• https://www.securityweek.com/linux-security-new-flaws-allow-root-access-cisa-warns-of-old-bug-exploitation/

• https://www.blackhatethicalhacking.com/new-linux-vulnerabilities-allow-instant-root-access-across-major-distros/