CVE-2025-6019
BaseFortify
Publication date: 2025-06-19
Last updated on: 2025-07-10
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-250 | The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-6019 is a local privilege escalation vulnerability in libblockdev that allows a physically present user with 'allow_active' permissions to escalate to full root privileges. The vulnerability arises because libblockdev interacts with the udisks daemon in a way that lets an attacker create a specially crafted XFS filesystem image containing a SUID-root shell. When udisks resizes this image, it mounts the malicious filesystem with root privileges, enabling execution of the SUID-root shell and full system control. [2, 4]
How can this vulnerability impact me? :
This vulnerability can allow a local attacker with 'allow_active' user permissions to gain unauthorized root access to the system. This means the attacker can execute arbitrary code with full administrative privileges, potentially compromising the entire system, accessing sensitive data, installing malware, or disrupting system operations. [2, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2025-6019 involves checking if your system is running vulnerable versions of libblockdev and udisks, and if the 'allow_active' setting in Polkit is enabled. Additionally, on Debian 12 and Ubuntu 24.04 systems, verify if the PAM 'user_readenv' option is set to 1 in /etc/pam.d/sshd, which can contribute to the vulnerability. While no specific detection commands are provided, you can check installed package versions with commands like 'dpkg -l | grep libblockdev' and 'dpkg -l | grep udisks2' on Debian-based systems. Also, inspect /etc/pam.d/sshd for the 'user_readenv' setting using 'grep user_readenv /etc/pam.d/sshd'. Monitoring for unusual mounts of user-provided filesystem images with SUID bits set could also indicate exploitation attempts. [1, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading libblockdev and udisks2 to the fixed versions released by your distribution. For Debian 11 Bullseye, upgrade to libblockdev version 2.25-2+deb11u1 or later. The udisks2 update enforces mounting private mounts with 'nodev,nosuid' options to prevent privilege escalation. Additionally, consider disabling or restricting the 'allow_active' setting in Polkit to limit user actions. On Debian and Ubuntu systems, review and adjust the PAM 'user_readenv' option in /etc/pam.d/sshd to 0 (disabled) to reduce risk. Applying the patches that prevent setting SUID and device bits during filesystem resize operations and enforce private mounts with secure options is also recommended. [3, 4]