\nThe Qualys Threat Research Unit (TRU) has discovered two linked local privilege escalation (LPE) flaws.<\/p>\n
The first (CVE-2025-6018) resides in the PAM configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15. Using this vulnerability, an unprivileged local attacker\u2014for example, via SSH\u2014can elevate to the \u201callow_active\u201d user and invoke polkit actions normally reserved for a physically present user.<\/p>\n
The second (CVE-2025-6019) affects libblockdev, is exploitable via the udisks daemon included by default on most Linux distributions, and allows an \u201callow_active\u201d user to gain full root privileges. Although CVE-2025-6019 on its own requires existing allow_active context, chaining it with CVE-2025-6018 enables a purely unprivileged attacker to achieve full root access.<\/p>\n
This libblockdev\/udisks flaw is extremely significant. Although it nominally requires \u201callow_active\u201d privileges, udisks ships by default on almost all Linux distributions, so nearly any system is vulnerable. Techniques to gain \u201callow_active\u201d, including the PAM issue disclosed here, further negate that barrier. An attacker can chain these vulnerabilities for immediate root compromise with minimal effort. Given the ubiquity of udisks and the simplicity of the exploit, organizations must treat this as a **critical, universal risk and deploy patches without delay**.<\/p>\n
The Qualys Threat Research Unit (TRU) has developed proof-of-concept exploits to validate these vulnerabilities on various operating systems, successfully targeting the libblockdev\/udisks flaw on Ubuntu, Debian, Fedora, and openSUSE Leap 15.<\/p>\n
## **Understanding PAM and udisks\/libblockdev**<\/p>\n
**PAM Configuration in openSUSE\/SLE 15:** The Pluggable Authentication Modules (PAM) framework controls how users authenticate and start sessions on Linux. In openSUSE\/SLE 15, the PAM stack is configured to determine which users count as \u201cactive\u201d (i.e., physically present) for privileged actions. A misconfiguration here can treat any local login\u2014including remote SSH sessions\u2014as if the user were at the console. This \u201callow_active\u201d context typically grants access to certain polkit operations reserved for someone at the machine; if misapplied, it lets an unprivileged user perform actions they should not.<\/p>\n
**udisks Daemon and libblockdev:** The udisks service runs by default on most Linux systems, offering a D-Bus interface for storage management (mounting, querying, formatting, etc.). Under the hood, udisks calls into libblockdev, a library handling low-level block-device operations. A flaw in libblockdev\u2014reachable via udisks\u2014allows any user already in the \u201callow_active\u201d context to escalate directly to root. Since udisks is ubiquitous, understanding its role and how it uses libblockdev is key; it\u2019s the component that bridges a session\u2019s privileges to device-management routines, and a vulnerability here can give full system control.<\/p>\n
## **Potential Impact**<\/p>\n
These modern \u201clocal-to-root\u201d exploits have collapsed the gap between an ordinary logged-in user and a full system takeover. By chaining legitimate services such as udisks loop-mounts and PAM\/environment quirks, attackers who own any active GUI or SSH session can vault across polkit\u2019s allow_active trust zone and emerge as root in seconds. Nothing exotic is required: each link is pre-installed on mainstream Linux distros and their server builds.<\/p>\n
Root access is the highest impact vulnerability. From there, an intruder can silently unload EDR agents and implant kernel-level backdoors for persistent code execution or rewrite system configurations that survive reboots. These compromised servers become launchpads for lateral movements. Exploits targeting default server packages can spread from a single compromised system to a fleet-wide issue. To reduce this risk, fleet-wide updates should be applied, and security measures like polkit rules and loop-mount policies should be strengthened. This broad strategy helps contain an initial breach and protect the entire network.<\/p>\n
## **Mitigation Guideline for libblockdev\/udisks Vulnerability**<\/p>\n
The default polkit policy for the “org.freedesktop.udisks2.modify-device” action may allow any active user to modify devices. This can be exploited to bypass security restrictions. To mitigate this, the policy should be changed to require administrator authentication for this action.<\/p>\n
Configuration Change<\/p>\n
To mitigate this vulnerability, modify the polkit rule for “org.freedesktop.udisks2.modify-device”. Change the allow_active setting from yes to auth_admin.<\/p>\n
Always prioritize patches and follow specific instructions from your Linux distribution vendor’s advisory.<\/p>\n
## **Technical Details**<\/p>\n
You can find the technical details of these vulnerabilities at: <\/p>\n
https:\/\/www.qualys.com\/2025\/06\/17\/suse15-pam-udisks-lpe.txt<\/p>\n
Link to patches: https:\/\/www.openwall.com\/lists\/oss-security\/2025\/06\/17\/5<\/p>\n
## **Qualys QID Coverage**<\/p>\n
Qualys will release the QIDs in the table below as they become available.<\/p>\n
**QID**| **Title**| **Version**| **Supported On**
—|—|—|—
TBD| TBD| Available by the end of the day| Scanner + Agent <\/p>\n
## **Conclusion**<\/p>\n
Chaining CVE-2025-6018 and CVE-2025-6019 lets any SUSE 15\/Leap 15 SSH user leap from \u201cnormal\u201d to root with the default PAM + udisks installed. One vulnerability grants allow ___ active, and the next turns that status into full root, all with built-in packages. Root access enables agent tampering, persistence, and lateral movement, so one unpatched server endangers the whole fleet. Patch both PAM and libblockdev\/udisks everywhere to eliminate this path.<\/p>\n
### **Enhance Your Security Posture with Qualys Vulnerability Management, Detection, and Response (VMDR)**<\/p>\n
Qualys VMDR offers comprehensive coverage and visibility into vulnerabilities, empowering organizations to rapidly respond to, prioritize, and address the associated risks.<\/p>\n
Leverage the power of Qualys VMDR alongside TruRisk and the Qualys Query Language (QQL) to efficiently identify and prioritize vulnerable assets, effectively addressing these vulnerabilities.\n<\/p><\/div>\n
View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Security Update News Update Information Title Qualys TRU Uncovers Chained LPE: SUSE 15 PAM to Full Root via libblockdev\/udisks Update ID QUALYSBLOG:DEE7E798508CA32CA728E83CFC83CB2D Type qualysblog Published…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,34,12,13,33,120,7,11,5],"class_list":["post-6996","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-00","tag-exploit","tag-news","tag-none","tag-qualysblog","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n
Qualys TRU Uncovers Chained LPE: SUSE 15 PAM to Full Root via libblockdev\/udisks - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=6996\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Qualys TRU Uncovers Chained LPE: SUSE 15 PAM to Full Root via libblockdev\/udisks - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title Qualys TRU Uncovers Chained LPE: SUSE 15 PAM to Full Root via libblockdev\/udisks Update ID QUALYSBLOG:DEE7E798508CA32CA728E83CFC83CB2D Type qualysblog Published...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=6996\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-06-17T17:34:52+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6996#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6996\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Qualys TRU Uncovers Chained LPE: SUSE 15 PAM to Full Root via libblockdev\\\/udisks\",\"datePublished\":\"2025-06-17T17:34:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6996\"},\"wordCount\":933,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-0.0\",\"exploit\",\"news\",\"NONE\",\"qualysblog\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=6996#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6996\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6996\",\"name\":\"Qualys TRU Uncovers Chained LPE: SUSE 15 PAM to Full Root via libblockdev\\\/udisks - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-06-17T17:34:52+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6996#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=6996\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6996#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Qualys TRU Uncovers Chained LPE: SUSE 15 PAM to Full Root via libblockdev\\\/udisks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Qualys TRU Uncovers Chained LPE: SUSE 15 PAM to Full Root via libblockdev\/udisks - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=6996","og_locale":"en_US","og_type":"article","og_title":"Qualys TRU Uncovers Chained LPE: SUSE 15 PAM to Full Root via libblockdev\/udisks - zero redgem","og_description":"Security Update News Update Information Title Qualys TRU Uncovers Chained LPE: SUSE 15 PAM to Full Root via libblockdev\/udisks Update ID QUALYSBLOG:DEE7E798508CA32CA728E83CFC83CB2D Type qualysblog Published...","og_url":"https:\/\/zero.redgem.net\/?p=6996","og_site_name":"zero redgem","article_published_time":"2025-06-17T17:34:52+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=6996#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=6996"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Qualys TRU Uncovers Chained LPE: SUSE 15 PAM to Full Root via libblockdev\/udisks","datePublished":"2025-06-17T17:34:52+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=6996"},"wordCount":933,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-0.0","exploit","news","NONE","qualysblog","Security","tapic","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=6996#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=6996","url":"https:\/\/zero.redgem.net\/?p=6996","name":"Qualys TRU Uncovers Chained LPE: SUSE 15 PAM to Full Root via libblockdev\/udisks - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-06-17T17:34:52+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=6996#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=6996"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=6996#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Qualys TRU Uncovers Chained LPE: SUSE 15 PAM to Full Root via libblockdev\/udisks"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/6996","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6996"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/6996\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6996"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6996"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6996"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}