New Linux udisks flaw lets attackers get root on major Linux distros
58 comments
·June 20, 2025udev4096
It's pretty old and only affects openSUSE, the title is extremely misleading
aspenmayer
> The Qualys Threat Research Unit (TRU), which discovered and reported both flaws, has also developed proof-of-concept exploits and successfully targeted CVE-2025-6019 to get root privileges on Ubuntu, Debian, Fedora, and openSUSE Leap 15 systems.
https://cdn2.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt
shakna
- openSUSE Leap 15 (Current LTS)
- SUSE Linux Enterprise 15 (Current LTS)
- Debian 12 (Current LTS)
- Ubuntu 24.04 (Current LTS)
... Were you thinking about a different bug...?
hbogert
As someone who has been using linux quite happily on the desktop for more than 20 years now, I have to say it remains an eternal experiment, feature wise as well as security wise.
subscribed
That's certainly an interesting standpoint.
I use both privately and professionally and while I accept that security-wise (even with selinux) they feel lacking, feature-wise they far exceed Windows I use as my other is except in gaming experience.
I wish I had something like GrapheneOS on desktops (yes I know about Qubes)
lima
Chromium OS gets very close, they also have fully-functional VM-based isolation for Linux applications with GPU acceleration.
Unfortunately, there's no popular non-Google distro of it.
IlikeKitties
> I wish I had something like GrapheneOS on desktops (yes I know about Qubes)
SecureBlue and Kicksecure are the closest equivalents.
3abiton
What's their selling point compared ro Qubes?
udev4096
Qubes is definitely hard to daily drive. With it's ancient default XFCE design, it looks really ugly. Plus no hardware acceleration
fsflover
What's hard about it exactly? It's my daily driver. You can install KDE, too: https://forum.qubes-os.org/t/kde-changing-the-way-you-use-qu...
throawayonthe
same! qubes is probably the actual solution for now, but i've seen some grapheneos people work on https://secureblue.dev/ and that seems a lot more "normal"
udev4096
I have been meaning to try out secureblue and hopefully even run it on production VMs in proxmox. Is it stable yet?
stavros
If you think Linux is an experiment, you should see the other OSes.
ahofmann
I'm pretty sure, that the BSD family is pretty mature and secure. Linux is just good enough for most people.
8fingerlouie
A big part of the difference is that the BSDs are designed by a governing committee. They usually don't have 15 different solutions for the same problem, but instead 2-3 solutions that work well.
Take filesystems, the official filesystems are UFS(1/2) and ZFS. They have GEOM as LVM and LUKS and more.
That being said, the majority of money and development goes into Linux, which by itself may make it a better system (eventually).
Edit: Of course UFS is not deprecated.
NexRebular
> I'm pretty sure, that the BSD family is pretty mature and secure.
Not to mention illumos-based systems too.
charcircuit
>is pretty mature and secure
They are still missing something like capability based security like iOS and Android have where apps have to be granted access to use things like files or the camera. It may have been considered secure a couple decades ago, but they have fallen behind the competiton.
null
khurs
Including Openbsd?
franga2000
Re:"Eternal experiment"... have you seen Windows 11? Or even 10? The devs can't keep their hands off of the thing, changing, breaking and fixing every component every few months.
0points
We're talking about a local privilege escalation here.
That assumes:
1) Attacker already have an account on the system
2) The app `udisks` is installed on the system.
Everyone is fighting the same battle and it's a good thing. It is happening because the rest of the system is hard enough to attack these days. This is true for all major OS:es.
Only fanboys bend reality to make this into a good-vs-bad argument.
devnullbrain
>20 years ago
So while Windows was letting everyone be root?
yusina
Software is rarely "done", so is quite naturally always an evolving experiment of sorts.
jpnc
That goes for all (active) software really. Otherwise people call it obsolete or abandoned.
pandemic_region
> I have to say it remains an eternal experiment
You just defined 'life' in general.
icar
Was Arch ever affected?
null
charcircuit
Another case of suid causing LPE. When will distros learn that suid needs to be removed or disabled if they want security?
PhilipRoman
Local privesc, don't care. If anyone still thinks that they can draw a security boundary anywhere with a shared kernel, they should really look at kernel CVE database (and be horrified). For every fancy titled exploit there are twenty that you've never heard of.
You can sort of do it if you carefully structure your program to restrict syscall use and then use some minimal and well audited syscall filtering layer to hide most of the kernel. But you really have to know what you're doing and proper security hardening will break a lot of software. To get a basic level of security, you have to disable anything with the letters "BPF", hide all virtual filesystems like /proc, /sys, disable io_uring and remove every CONFIG_* you see until something stops working. Some subsystems seem more vulnerable than others (ironically netfilter seems to be a steady source of vulnerabilities).
udisks, not counting its dependencies, has 265,334 LoC. pmount, in contrast, has 19,978 LoC, or >13x less.
sudo, another setuid binary with a lot of policy code, has 210 CVEs / 430.150 kLoC = ~0.5 CVE per kLoC.
57.5% of CVEs have a CVSS >= 7, so 0.5 * 0.575 = 0.2875 CVE7/kLoC.
As a back-of-envelope estimate,