一、 漏洞 CVE-2025-67859 基础信息

                                        # TLP电源守护进程权限绕过漏洞

## 概述
TLP 存在一个认证不当（Improper Authentication）漏洞，允许本地用户任意控制系统中正在使用的电源配置文件以及守护进程的日志设置。

## 影响版本
受影响版本：TLP 1.9 及以上（自 1.9 起），但在 1.9.1 之前（不含 1.9.1）。

## 细节
本地攻击者可利用此漏洞绕过应有的权限验证，直接修改 TLP 的电源配置和守护进程的日志配置，无需管理员权限或额外授权。

## 影响
攻击者可操纵系统电源策略（如强制高性能或节能模式），可能导致系统性能异常、电池损耗或过热；同时可修改日志设置以隐藏恶意活动，造成审计盲区。
                                        

二、漏洞 CVE-2025-67859 的公开POC

三、漏洞 CVE-2025-67859 的情报信息

• 标题： 1254768 – (CVE-2025-67859) AUDIT-TRACKER: CVE-2025-67859: tlp: new D-Bus service implementing PowerProfiles API -- 🔗来源链接

  标签：

  神龙速读：

                                          - **漏洞ID**: Bug 1254768, CVE-2025-67859
  - **漏洞类型**: 审计跟踪 - tlp: new D-Bus service implementing PowerProfiles API
  - **产品**: SUSE Security Incidents
  - **组件**: Audits
  - **报告人**: Thomas Renninge
  - **报告时间**: 2025-12-10 20:46 UTC
  - **状态**: IN PROGRESS
  - **优先级**: P5 - None Severity
  - **别名**: CVE-2025-67859
  - ** uncovered vulnerabilities**: 
      - CVE-2025-67859
  - ** Project priority**: found during code review by the security team
  - **Publish date**: this was added on the date when the issue was reviewed and its severity was established with a proper score.
                                          

  

• 标题： TLP: Polkit Authentication Bypass in Profiles Daemon in Version 1.9.0 (CVE-2025-67859) | SUSE Security Team Blog -- 🔗来源链接

  标签：

  神龙速读：

                                          以下是简洁的Markdown格式，总结了网页截图中的关键漏洞信息：
  
  ```markdown
  ## TLP: Polkit Authentication Bypass in Profiles Daemon in Version 1.9.0 (CVE-2025-67859)
  
  ### 1) Introduction
  - TLP (utility for saving laptop battery power) added a profiles daemon in version 1.9.0 with a D-Bus API.
  - Discovered issues in Polkit authentication logic leading to a complete authentication bypass.
  - Additional security problems found in the area of local Denial-of-Service (DoS).
  
  ### 2) Overview of the TLP Daemon
  - New TLP power daemon implemented in a Python script.
  - Runs with full root privileges and accepts D-Bus client connections.
  - Polkit authorization for actions defined in the policy file checked via `_check_polkit_auth()` function.
  
  ### 3) Security Issues
  #### 3.1 Polkit Authorization Check can be Bypassed
  - `check_polkit_auth()` relies on Polkit's "unix-process" subject, vulnerable to race condition.
  - Local users can bypass authorization and control power profile and daemon log settings.
  
  #### 3.2 Predictable Cookie Values in HoldProfile Method Allow to Release Holds
  - `HoldProfile` method returns a predictable cookie value allowing arbitrary release of profile holds.
  
  #### 3.3 Non-Integer cookie Parameter in "ReleaseProfile" Method Leads to Unhandled Exception
  - The `ReleaseProfile` method expects an integer for the `cookie` parameter.
  - Non-integer input causes an exception but does not crash the daemon.
  
  #### 3.4 Unlimited Number of Profile Holds Provides DoS Attack Surface
  - Local users can create unlimited profile holds, leading to resource exhaustion and potential DoS.
  
  ### 4) CVE Assignment
  - CVE-2025-67859 for Polkit authentication bypass.
  - Other issues (predictable cookies, unlimited holds) discussed but not assigned separate CVEs due to low severity.
  
  ### 5) Coordinated Disclosure
  - Initial contact made on 2025-12-16 with upstream developer.
  - Patches reviewed and suggestions provided for improvement.
  - Final fix release 1.9.1 published on 2025-01-07.
  ```
  
  这些信息总结了关键的漏洞细节、CVE分配和协调披露过程。
                                          

  
• https://nvd.nist.gov/vuln/detail/CVE-2025-67859

四、漏洞 CVE-2025-67859 的评论