Week 25 – Two severe vulnerabilities in SUSE Linux system

06 – 22 June 2025

It’s Friday again, which for some people means throwing a party to let the stress out after a long week at work. Not for engineers responsible for securing SUSE Linux systems, though.

SUSE is a distribution loved by many desktop and server users alike, gaining popularity since 1994 with its versatility and excellent YaST configuration utility. While its stability remains unquestionable, the time has come to apply critical patches as the distro is currently making headlines with two severe vulnerabilities, making it the subject of our #CVEOfTheWeek post.

The first bug, tagged CVE-2025-6018, is a local privilege escalation which allows an authenticated, remote attacker to obtain the permissions of a user physically sitting at the keyboard. This is possible by setting the XDG_SEAT and XDG_VTNR environment variables in an SSH session, which are read by PAM, causing polkit to grant “allow_active” permissions, normally reserved for physical users.

This is worrying on its own, but another discovered weakness, CVE-2025-6019, makes the impact devastating, allowing attackers to gain root. The exploitation is trivial: once we have the “allow_active” permissions of a regular user, a loop device can be created with a crafted XFS image that contains a SETUID binary. Normally, when the udisks daemon calls libblockdev to mount the image, it does so by setting the “nosuid” option to prevent privilege escalation. Interestingly, this option is not set when we do a filesystem resize via the xfs_growfs utility, enabling the execution of the SUID program residing on the XFS image.

Patches have already been developed to address these issues, so admins are urged to update as soon as possible. To further harden the system, we also advise setting up monitoring tools and auditing the commands associated with the exploits.

Kudos to Qualys for their research and writeup, which you can find here: https://cdn2.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt

You can also track the status of the official SUSE patches on their bugzilla page:
CVE-2025-6018: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-6018
CVE-2025-6019: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-6019

White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024.

With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.

They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.