ubuntu exploit最新发现

Ubuntu Latest Exploits (2025)

1. Linux libblockdev + PAM Chain Exploit (CVE-2025-6018/CVE-2025-6019)

Description: A high-severity local privilege escalation chain affecting Ubuntu (alongside Debian, Fedora, and SUSE). CVE-2025-6018 is a PAM configuration flaw that grants “allow_active” status (normally reserved for local console users) to remote SSH sessions. CVE-2025-6019 exploits libblockdev (via udisks2) to execute root-level operations once “allow_active” is obtained.
Impact: Remote attackers with a low-privilege SSH account can chain these vulnerabilities to gain root access to the system, enabling full control over the server.
Affected Versions:

• Ubuntu systems running udisks2 (default installed) and libblockdev (common in most distributions).
• CVE-2025-6018 specifically impacts openSUSE Leap 15/SUSE Linux Enterprise 15; Ubuntu is affected via the libblockdev/udisks2 chain.
  Mitigation:
• Update libblockdev and udisks2 to the latest versions (Ubuntu: sudo apt update && sudo apt upgrade libblockdev udisks2).
• For CVE-2025-6018 (PAM), ensure /etc/pam.d/sshd does not include user_readenv=1 (default in Ubuntu is safe, but verify).
• Apply the official patches from Canonical for udisks2 and libblockdev.

2. Apport Core Dump Information Disclosure (CVE-2025-5054)

Description: A medium-severity vulnerability in Ubuntu’s default core dump handler (Apport). It allows local attackers with user namespace creation permissions to leak sensitive data (e.g., password hashes) from SUID process core dumps by exploiting a race condition.
Impact: Attackers can extract confidential information (e.g., /etc/shadow hashes) from crashed SUID programs, which could lead to further privilege escalation.
Affected Versions:

• Ubuntu 24.04 LTS and later (including 25.04), as well as 16.04 LTS (if Apport ≤2.33.0 is installed).
  Mitigation:
• Update Apport to the latest version (sudo apt update && sudo apt install --only-upgrade apport python3-apport).
• Disable SUID core dumps temporarily by setting /proc/sys/fs/suid_dumpable to 0 (add to /etc/sysctl.conf for persistence):

  echo "fs.suid_dumpable = 0" | sudo tee -a /etc/sysctl.conf
  sudo sysctl -p
  

• Canonical has confirmed this issue is fixed in the latest Apport packages for all supported Ubuntu releases.

3. Sudo Path Resolution Vulnerability (CVE-2025-32463)

Description: A critical local privilege escalation in Sudo (1.9.14–1.9.17) caused by incorrect path resolution order. Attackers can force Sudo to load malicious libraries (e.g., libnss_xxx.so) from a crafted directory, bypassing security checks and gaining root access without being in the sudoers file.
Impact: Local non-privileged users can escalate to root, compromising the entire system.
Affected Versions:

• Ubuntu systems running Sudo 1.9.14 through 1.9.17 (check with sudo --version).
  Mitigation:
• Upgrade Sudo to version 1.9.17p1 or later (sudo apt update && sudo apt install --only-upgrade sudo).
• Ensure no malicious libraries exist in directories accessible to the user (e.g., /tmp, /var/tmp).
• Restrict Sudo permissions in /etc/sudoers to only necessary commands.

General Recommendations for Ubuntu Users

• Apply Updates Promptly: Use sudo apt update && sudo apt upgrade regularly to install security patches. Enable unattended upgrades (sudo apt install unattended-upgrades) for automatic patching.
• Restrict SSH Access: Disable root login (PermitRootLogin no in /etc/ssh/sshd_config) and use key-based authentication instead of passwords.
• Monitor System Activity: Use tools like auditd to track suspicious processes (e.g., unexpected core dumps, SUID program executions).
• Limit Namespace Permissions: Restrict user namespace creation to trusted users (edit /etc/subuid and /etc/subgid to limit ranges).

These exploits highlight the importance of proactive vulnerability management—especially for default services like Apport, udisks2, and Sudo—which are common targets for attackers due to their widespread use.