Posts
-
scx: Unauthenticated scx_loader D-Bus Service can lead to major Denial-of-Service
The scx project offers a range of dynamically loadable custom schedulers which make use of the Linux kernel's `sched_ext` feature. An optional D-Bus service `scx_loader` provides an interface accessible to all users, allowing them to nearly arbitrarily change the scheduling properties of the system, leading to Denial-of-Service and other attack vectors. Upstream rejected parts of our report, moved the `scx_loader` component into a separate repository and no bugfix is available as of now. -
OpenSMTPD: Trivial Local Denial-of-Service via UNIX Domain Socket (CVE-2025-62875)
A world-writable `smtpd.sock` allows arbitrary local users to crash an OpenSMTPD instance in version 7.7.0. Upstream provided a bugfix after a longer time of silence, but there might still linger a memory leak issue in the socket handling code, which remains unaddressed. -
SUSE Security Team Spotlight Summer 2025
This is the summer 2025 edition and first anniversary of our spotlight series. The last two months have been surprisingly busy for us in the area of code reviews and we have quite a number of interesting stories to share with you. Among others we will cover a local root exploit we found in systemd v258 release candidates, issues in logrotate drop-in configuration files, newly developed Varlink services and a symlink attack issue in chrony. -
SUSE Security Team Spotlight Spring 2025
Welcome to the spring edition of our spotlight series. Spring time kept us busy with a couple of major security publications. With this post we want to take some time to discuss some of our other review efforts during the last three months that would otherwise not get much attention. -
sslh: Remote Denial-of-Service Vulnerabilities
sslh is a protocol demultiplexer that allows to provide different types of services on the same network port. During a routine review we identified two remote Denial-of-Service vulnerabilities and a number of non-security issues. -
SELinux: finding an elegant solution for emulated Windows gaming on Tumbleweed
OpenSUSE Tumbleweed switched to using SELinux by default. The change was causing problems when playing emulated Windows Games through Proton or Wine. This post looks at the requirements for a fix and how a transparent solution was implemented. -
Kea DHCP: Local Vulnerabilities in many Linux and BSD Distributions
Kea is the next generation DHCP server suite offered by the Internet Systems Consortium (ISC). During a routine review we found a local root exploit and a number of further local vulnerabilities in its REST API, affecting Kea packages found in many Linux and BSD distributions. -
Multiple Security Issues in Screen
Screen is the traditional terminal multiplexer software used on Linux and Unix systems. We found a local root exploit in Screen 5.0.0 affecting Arch Linux and NetBSD, as well as a couple of other issues that partly also affect older Screen versions, which are still found in the majority of distributions. -
Removal of Deepin Desktop from openSUSE due to Packaging Policy Violation
At the beginning of this year we noticed that the Deepin Desktop as it is currently packaged in openSUSE relies on a packaging policy violation to bypass SUSE security team review restrictions. With a long history of code reviews for Deepin components dating back to 2017, this marks a turning point for us that leads to the removal of the Deepin Desktop from openSUSE for the time being. -
SUSE Security Team Spotlight Winter 2024/2025
Welcome to the winter edition of our spotlight series. A busy winter time has come to an end, and as usual in this post we give you an insight into some of our review efforts during that time that would otherwise not get much attention. -
wait3() System Call as a Side Channel in Setuid Programs: nvidia-modprobe case study (CVE-2024-0149)
The nvidia-modprobe utility, a setuid-root helper for the proprietary Nvidia GPU display driver, contained an information disclosure vulnerability in versions prior to 550.144.03. Unprivileged users were able to determine the existence of arbitrary files on the system via the `wait3()` system call. -
Below: World Writable Directory in /var/log/below Allows Local Privilege Escalation (CVE-2025-27591)
Below is a tool for recording and displaying system data like hardware utilization and cgroup information. In Below versions up to and including version v0.8.1 a world writable log directory is created, which can lead to a local root exploit and other security issues. -
KDE: Admittance of kio-admin into openSUSE
kio-admin is a KDE component which allows to perform privileged file operations in GUI applications. A first request to add this package to openSUSE had been rejected by the SUSE security team in 2022. After careful reevaluation of the situation, this is about to change. This post explores the background of this development. -
pam_pkcs11: Possible Authentication Bypass in Error Situations (CVE-2025-24531)
This PAM module allows to use smart cards as an authentication factor on Linux. In its 0.6.12 release the use of PAM_IGNORE return values introduced a regression that can lead to complete authentication bypass in some scenarios. -
dde-api-proxy: Authentication Bypass in Deepin D-Bus Proxy Service (CVE-2025-23222)
dde-api-proxy is a component of the Deepin desktop environment that provides backward compatibility for legacy D-Bus service and interface names. We discovered a major authentication flaw in the design of this D-Bus proxy component. -
pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013)
pam-u2f allows to use U2F (Universal 2nd Factor) devices like YubiKeys in the PAM authentication stack. Improper use of PAM_IGNORE return values in the module implementation could allow bypass of the second factor or password-less login without inserting the proper device. -
SSSD: Weaknesses in Privilege Separation due to Issues in Privileged Helper Programs
SSSD (System Security Services Daemon) is a suite of daemons dealing with user authentication based on mechanisms like LDAP, Kerberos and FreeIPA. We found privilege escalation paths in a number of helper binaries running with raised Linux capabilities, when privilege separation is enabled. -
SUSE Security Team Spotlight Autumn 2024
This is the second edition of our new spotlight series. Autumn is always a busy time at SUSE, when new service packs and products are prepared. This results also in an increased amount of review requests arriving for the SUSE security team. This post features a mixture of D-Bus interfaces, Polkit authentication, temporary file handling issues, a small PAM module and setgid-binary, Varlink IPC in systemd as well as some other topics. -
stalld: unpatched fixed temporary file use and other issues
Stalld is a daemon to prevent starvation of operating system threads on Linux. We discovered a problematic use of a fixed temporary file and other issues in the project, but upstream did not respond to our findings. -
tuned: local root exploit in D-Bus method instance_create and other issues in tuned >= 2.23 (CVE-2024-52336, CVE-2024-52337)
In tuned version 2.23 new D-Bus methods have been added to its privileged daemon. We identified a couple of issues, including a local root exploit, in the additions. -
authentik: remote timing attack in MetricsView HTTP Basic Auth (CVE-2024-52307)
Authentik is a popular open source identity provider that can be self-hosted. While investigating the overall security of the project we discovered a remote timing attack weakness in the code. We also looked at the big picture of security in Authentik. -
oath-toolkit: privilege escalation in pam_oath.so (CVE-2024-47191)
oath-toolkit contains libraries and utilities for managing one-time password (OTP) authentication e.g. as a second factor to password authentication. Its pam_oath.so PAM module performs unsafe operations in directories potentially controlled by unprivileged users, leading to possible privilege escalation. -
pcp: pmcd network daemon review (CVE-2024-45769), (CVE-2024-45770)
Performance Co-Pilot (PCP) is a system for collecting system performance data and sharing it over the network. We performed a review of its main networking daemon component pmcd, which resulted in the finding of two CVEs and a couple of other noticeable aspects. -
SUSE Security Team Spotlight Summer 2024
Although there have been no major security findings in recent months, the SUSE security team has not been inactive. We revisited a couple of packages like Deepin desktop D-Bus services and the Croc file sharing tool, we finalized leftover KDE6 topics, checked up on our openSSH downstream patches, reviewed an age old Emacs setuid binary and looked into an OpenVPN kernel module. -
gnome-remote-desktop: D-Bus system service in GNOME release 46 (CVE-2024-5148)
A newly added D-Bus system service for gnome-remote-desktop release 46 exposes the remote desktop private SSL certificate to other local users. -
dnf5daemon-server: Incomplete fix of CVE-2024-1929 (CVE-2024-2746)
The dnf5 D-Bus daemon security issues we found previously have been incompletely fixed. This allows for local DoS, possibly Privilege Escalation. -
KDE6 release: D-Bus and Polkit Galore
In the context of the KDE desktop version 6 major release we looked into a series of D-Bus services using Polkit for authentication. This led to a couple of interesting findings and insights. -
dnf5daemon-server: Local root Exploit and Local Denial-of-Service in dnf5 D-Bus Components
The dnf5 D-Bus service component allows local attackers with access to the system bus to gain root privileges or trigger denial-of-service. -
Performance Co-Pilot (pcp): Unsafe use of Directories in /var/lib/pcp and /var/log/pcp breaks pcp Service User Isolation (CVE-2023-6917)
The pcp performance analysis toolkit operates as root in directories controlled by the pcp service user, which allows to escalate privileges from pcp user to root. -
darkhttpd: timing attack and local leak of HTTP basic auth credentials
This report deals with HTTP basic auth issues in the darkhttpd project. Darkhttpd is a minimal HTTP web server implemented in the C programming language, for serving static files. -
pam: pam_namespace misses O_DIRECTORY flag in protect_dir() (CVE-2024-22365)
This is report about a local denial of service vulnerability in the pam_namespace.so PAM module. This module is part of the core PAM modules that are found in the linux-pam project. -
budgie-extras: Multiple Predictable /tmp Path Issues in Various Applications
This report is about a range of predictable /tmp path issues in various applications in the budgie-extras repository. This repository contains a range of helper applications for the Budgie desktop environment. -
hplip: Security Issues in hpps Program due to Fixed /tmp Path Usage
This report is about the problematic use of fixed temporary paths in the hpps program from the hplip project. Hplip is a collection of utilities for HP printer and scanner devices. -
Security Issues in Passim Local Caching Server
This is a report about findings in the Passim local caching server. Passim is a relatively new project for a local caching server that helps distributing publicly available files in local networks to save network bandwidth. -
File Descriptor Hijack vulnerability in open-vm-tools (CVE-2023-34059)
During a routine review of the setuid-root binary vmware-user-suid-wrapper from the open-vm-tools repository, a security vulnerability was found. CVE-2023-34059 identifies the capability to hijack file descriptor in open-vm-tools. -
check_smart.pl: unprivileged user can alter hard drive settings (CVE-2021-42257)
check_smart.pl from version 6.1 through 6.9 contained insufficient input validation that allowed any unprivileged local user to modify SMART settings, disable SMART monitoring entirely, shut down a drive or degrade a drive's performance by disabling its read cache.
subscribe via RSS