Veronika Telychko@SOC Prime Blog
//
Two critical local privilege escalation (LPE) vulnerabilities, CVE-2025-6018 and CVE-2025-6019, have been publicly disclosed, impacting a wide range of Linux distributions. Cybersecurity researchers at Qualys discovered that these vulnerabilities, when chained together, could allow an unprivileged user to gain full root access on vulnerable systems. The flaws reside in the Pluggable Authentication Modules (PAM) configuration (CVE-2025-6018) and the libblockdev library (CVE-2025-6019), with the latter being exploitable through the udisks daemon, which is commonly deployed by default in many Linux distributions.
Researchers have released proof-of-concept (PoC) exploit code demonstrating the effectiveness of the vulnerability chain, raising concerns about potential exploitation in the wild. CVE-2025-6018 allows an unprivileged local user to elevate permissions to "allow_active" status, enabling them to invoke Polkit actions typically reserved for users with physical access to the machine. CVE-2025-6019 then permits an "allow_active" user to gain full root privileges, effectively bypassing security controls and allowing for broader post-compromise actions. The teams responsible for the development of most popular Linux builds have already begun working on fixes for these vulnerabilities. Patches for Ubuntu are reportedly ready, and users of other distributions are advised to closely monitor for updates and promptly install them as they become available. As a temporary workaround, Qualys recommends modifying the Polkit rule for "org.freedesktop.udisks2.modify-device" to require administrator authentication ("auth_admin"). This highlights the critical importance of regular patching and vulnerability management in maintaining the security of Linux systems. References :
Classification:
@blog.redteam-pentesting.de
//
A new Kerberos relay attack, identified as CVE-2025-33073, has been discovered that bypasses NTLM protections and allows attackers to escalate privileges to NT AUTHORITY\SYSTEM. This reflective Kerberos relay attack involves coercing a host to authenticate, intercepting the Kerberos ticket, and relaying it back to the same host, effectively exploiting misconfigurations and the lack of enforced SMB signing. RedTeam Pentesting discovered the vulnerability in January 2025 and disclosed it to Microsoft in an extensive whitepaper.
Microsoft addressed this vulnerability as part of the June 2025 Patch Tuesday. Technical analyses of CVE-2025-33073 have been published by RedTeam Pentesting and Synacktiv. The vulnerability is rooted in how the SMB client negotiates Kerberos authentication. When the SMB client has negotiated Kerberos instead of NTLM, a session key is inserted into a global list, KerbSKeyList, without proper checks, allowing attackers to reuse a subkey under specific conditions to forge a privileged token. The attack begins with authentication coercion via SMB, tricking a victim machine into connecting to a malicious SMB server. The server forces the client into Kerberos authentication, generates a subkey, logs it into KerbSKeyList with privileged token data, and forges a valid AP-REQ ticket using the subkey. The SMB client accepts and validates the forged ticket, leading to the generation of a SYSTEM token and granting administrative privileges. A proof-of-concept exploit has been made available to demonstrate the vulnerability's potential. References :
Classification:
@securityonline.info
//
Multiple local vulnerabilities have been discovered in the Kea DHCP server suite, impacting default installations on Linux and BSD distributions. A report by the SUSE Security Team highlighted these flaws during a routine code review, before the system was due to ship in their products. Among the issues is a critical local root exploit that allows an unprivileged user to inject a hook library, leading to arbitrary code execution with root privileges. Other vulnerabilities include the ability to overwrite configuration files via the config-write command, as well as hash denial-of-service issues.
The set-config REST API command presents a significant security risk, as it grants complete control over the configuration of the kea-ctrl-agent and individual Kea services. This control allows for a trivial local privilege escalation by configuring a hook library accessible to an unprivileged user. The vulnerabilities were found in Kea release 2.6.1, but it is believed that older releases are also affected. The report also details seven security issues including local-privilege-escalation and arbitrary file overwrite vulnerabilities. The Internet Systems Consortium (ISC) has addressed these vulnerabilities by releasing security fixes in all currently supported release series of Kea: 2.4.2, 2.6.3, and 2.7.9. These updates were made available on May 28, 2025, and users are strongly advised to update their Kea DHCP server installations immediately. CVE numbers CVE-2025-32801, CVE-2025-32802, and CVE-2025-32803 have been assigned to the vulnerabilities, with some CVEs covering multiple security flaws. References :
Classification:
|