SUSE releases critical PAM security updates for CVE-2025-6018 (pam_env) & CVE-2025-6020 (pam_namespace). Learn patch commands for SLES, openSUSE, and SUSE Manager to prevent privilege escalation risks. Essential for Linux admins!
Overview of the Security Advisory
SUSE has released an important security update (SUSE-SU-2025:02013-1) for the Pluggable Authentication Module (PAM) framework, addressing two critical vulnerabilities:
CVE-2025-6018 (CVSS 8.6) – A security flaw in
pam_envthat could allow unauthorized environment variable manipulation.CVE-2025-6020 (CVSS 7.8) – A privilege escalation risk in
pam_namespacedue to improper path handling.
This update impacts multiple SUSE Linux Enterprise distributions, including SLES 15 SP3-SP7, openSUSE Leap 15.6, and SUSE Manager deployments.
Detailed Vulnerability Analysis
1. CVE-2025-6018: pam_env Security Bypass
Risk Level: High (CVSS 8.6)
Affected Component: pam_env module
What’s the Issue?
By default,
pam_envreads user-controlled.pam_environmentfiles, which could be exploited to manipulate environment variables.An attacker with local access could escalate privileges by injecting malicious configurations.
Mitigation Applied
SUSE has disabled the reading of user
.pam_environmentfiles by default.System administrators must now explicitly enable this feature if required.
🔹 Enterprise Impact:
Affects multi-user systems where environment variable tampering could lead to privilege escalation.
Critical for shared hosting, cloud deployments, and containerized environments.
2. CVE-2025-6020: pam_namespace File Descriptor Handling Flaw
Risk Level: High (CVSS 7.8)
Affected Component: pam_namespace module
What’s the Issue?
The module previously used absolute paths for file operations, making it vulnerable to symlink attacks and race conditions.
A local attacker could manipulate namespace configurations to gain elevated access.
Mitigation Applied
SUSE has refactored the code to use file descriptors (FDs) instead of pathnames, reducing attack surface.
🔹 Enterprise Impact:
Particularly relevant for virtualized environments and high-security deployments.
Prevents unauthorized access to sensitive namespace configurations.
Affected Products & Patch Instructions
Key Affected Distributions
| Product | Patch Command |
|---|---|
| openSUSE Leap 15.6 | zypper in -t patch openSUSE-SLE-15.6-2025-2013=1 |
| SLES 15 SP6/SP7 | zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2025-2013=1 |
| SUSE Manager 4.3 | zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.3-2025-2013=1 |
| SUSE Linux Enterprise Micro 5.5 | zypper in -t patch SUSE-SLE-Micro-5.5-2025-2013=1 |
📌 Full list of impacted systems:
SUSE Linux Enterprise Server (SP3-SP7, LTSS, SAP)
SUSE Manager (Proxy, Retail Branch, Server)
SUSE Enterprise Storage 7.1
openSUSE Leap 15.6
Best Practices for Enterprise Security Teams
✅ Immediate Actions:
Apply patches via
zypper patchor YaST online update.Verify
/etc/pam.d/configurations for custom modifications.
✅ Long-Term Mitigation:
Disable unnecessary PAM modules in high-security environments.
Audit user-controlled files (
~/.pam_environment) for anomalies.Monitor privilege escalation attempts using auditd or SELinux.
⚠️ Risk of Delay:
Unpatched systems remain vulnerable to local privilege escalation (LPE) and environment hijacking.
Conclusion & Next Steps
This PAM security update is critical for Linux-based enterprise environments. Immediate patching is strongly advised to prevent local privilege escalation and unauthorized access.
🔹 Additional Resources:
Nenhum comentário:
Postar um comentário