Skip to content

Linux-pam: Incomplete fix for CVE-2025-6020 (CVE-2025-8941) #44

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
vishal-s-b merged 5 commits into from
Sep 16, 2025
Merged

Linux-pam: Incomplete fix for CVE-2025-6020 (CVE-2025-8941) #44

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
d4d6446
Create OSG-SEC-2025-09-04.md
vishal-s-b Sep 16, 2025
7d52502
Update OSG-SEC-2025-09-04.md
vishal-s-b Sep 16, 2025
9619b1a
Update OSG-SEC-2025-09-04.md
vishal-s-b Sep 16, 2025
8c19196
Update OSGSecurityAnnouncements.md
vishal-s-b Sep 16, 2025
315d556
Update mkdocs.yml
vishal-s-b Sep 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/OSGSecurityAnnouncements.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
| Date | Title | Contents/Link | Risk |
|-------------|-------------------------------------------------------|---------------------|---------------|
| 2024-12-05 | linux-pam: Incomplete fix for CVE-2025-6020 (CVE-2025-8941) | [OSG-SEC-2025-09-04](./vulns/OSG-SEC-2025-09-04.md) | |
| 2024-12-05 | Stack based buffer overflow detected in XRootD 5.7.x | [OSG-SEC-2024-12-05](./vulns/OSG-SEC-2024-12-05-Stack-based-buffer-overflow-detected-in-XRootD-5.7.x.md) | |
| 2024-10-03 | IDTOKEN Signing Key Present In OSG Hosted-CE Container Images | [OSG-SEC-2024-10-03](./vulns/OSG-SEC-2024-10-03.md) | |
| 2024-01-09 | HIGH SSH vulnerability exploitable in Terrapin attack | [OSG-SEC-2024-01-08](./vulns/OSG-SEC-2024-01-08-HIGH-SSH-vulnerability-exploitable-in-Terrapin-attacks.md) | |
Expand Down
39 changes: 39 additions & 0 deletions docs/vulns/OSG-SEC-2025-09-04.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
# OSG-SEC-2025-09-04 HIGH linux-pam: Incomplete fix for CVE-2025-6020 (CVE-2025-8941)


Dear OSG Security Contacts,

A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root.
This CVE provides a "complete" fix for CVE-2025-6020. Successful exploitation requires only the ability to create and manipulate filesystem paths in such directories, without the need for special capabilities or kernel-level vulnerabilities.


## IMPACTED VERSIONS:

RHEL version 8 and 9 and others.

## WHAT ARE THE VULNERABILITIES:

This vulnerability in pam_namespace is rated Important because it allows a local, unprivileged user to escalate privileges to root by exploiting symlink attacks or race conditions in polyinstantiated directories under their control. Successful exploitation requires only the ability to create and manipulate filesystem paths in such directories, without the need for special capabilities or kernel-level vulnerabilities.
In multi-user environments—such as shared systems, terminal servers, or certain container deployments, an unprotected or misconfigured pam_namespace configuration can serve as a single point of compromise. Privilege escalation flaws of this nature may also be chained with other vulnerabilities to maintain persistence or evade detection, further increasing the overall impact.
## Attack Preconditions:
Any valid, unprivileged user account.
Ability to create/manipulate files in polyinstantiated directories (/tmp, /var/tmp, etc.).
## WHAT YOU SHOULD DO:

Upgrade to secure packages as they become available.
Interim mitigation: Disable pam_namespace.so in /etc/pam.d/systemd-user, /etc/pam.d/login, and /etc/pam.d/remote if not strictly needed.
RHEL 7 is impacted, but no fix is available as RHEL 7 has reached End of Maintenance (EOM) support as of June 30, 2024. The fix for RHEL 7 is to upgrade to a supported OS version.

## REFERENCES:
- [1] https://access.redhat.com/errata/RHSA-2025:15099
- [2] https://bugzilla.redhat.com/show_bug.cgi?id=2388220
- [3] https://access.redhat.com/security/cve/cve-2025-8941
- [4] https://nvd.nist.gov/vuln/detail/CVE-2025-8941
- [5] https://security-tracker.debian.org/tracker/CVE-2025-8941
- [6] https://errata.almalinux.org/
- [7] https://errata.build.resf.org/


Please contact the OSG security team at security@osg-htc.org if you have any questions or concerns.

OSG Security Team
1 change: 1 addition & 0 deletions mkdocs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ nav:
- Overview: 'OSGSecurityAnnouncements.md'
- Overview x86 vulnerabilities: 'OSGSecurityAnnouncements-x86.md'
- Announcement Details:
- OSG-SEC-2025-09-04 Linux pam Incomplete fix for CVE-2025-6020 (CVE-2025-8941): './vulns/OSG-SEC-2025-09-04.md'
- OSG-SEC-2024-12-05 Stack based buffer overflow detected in XRootD-5.7.x: './vulns/OSG-SEC-2024-12-05-Stack-based-buffer-overflow-detected-in-XRootD-5.7.x.md'
- OSG-SEC-2024-10-03 IDTOKEN Signing Key Present In OSG Hosted-CE Container Images: './vulns/OSG-SEC-2024-10-03.md'
- OSG-SEC-2024-01-08 HIGH SSH vulnerability exploitable in Terrapin attacks: './vulns/OSG-SEC-2024-01-08-HIGH-SSH-vulnerability-exploitable-in-Terrapin-attacks.md'
Expand Down
Loading