Linux PAM Local Privilege Escalation Vulnerability

A local privilege escalation vulnerability has been identified in the PAM configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15. This vulnerability allows an unprivileged local attacker, such as a user logged in via SSH, to gain the privileges of a physical 'allow_active' user. This access enables the attacker to perform 'allow_active yes' Polkit actions, typically reserved for console users, potentially leading to unauthorized control over system configurations and sensitive operations.

Impact

Exploitation of this vulnerability allows an unprivileged user to gain 'allow_active' status, enabling access to certain Polkit actions that can manipulate system settings and services. This initial privilege escalation can be further exploited to gain root access, as detailed in the context of CVE-2025-6019.

Reproduction

To reproduce this vulnerability, log in as an unprivileged user via SSH on an affected system. The PAM 'pam_env' module will automatically read the user's '~/.pam_environment' file, allowing the injection of arbitrary environment variables. Set 'XDG_SEAT' to 'seat0' and 'XDG_VTNR' to '1' to simulate the presence of a physical user. After logging out and back in, the 'allow_active' privileges can be verified by calling the 'CanReboot' method via D-Bus, which should return 'yes'.

Remediation

Updates that address this vulnerability are available for various SUSE and openSUSE versions. Users can consult the SUSE update announcement pages for details on how to apply these patches.