The Qualys Threat Research Unit (TRU) has disclosed two significant local information disclosure vulnerabilities—CVE-2025-5054 and CVE-2025-4598—impacting the core-dump handlers Apport and systemd-coredump on millions of Linux systems.

These race-condition vulnerabilities could enable local attackers to extract highly sensitive data, including password hashes, by manipulating the crash reporting mechanisms embedded in popular distributions such as Ubuntu, Red Hat Enterprise Linux (RHEL), and Fedora.

Technical Overview:

Both vulnerabilities stem from race conditions in the way core-dump handlers process crashes of SUID (Set User ID) programs.

- Advertisement -

In the case of Apport (CVE-2025-5054), which is Ubuntu’s default crash-reporting tool, a local attacker can exploit process ID reuse and Linux namespaces to substitute a privileged process with another before Apport completes its checks.

This allows the attacker to redirect the core dump, potentially containing sensitive memory data such as password hashes, from /etc/shadow—into an attacker-controlled namespace.

Similarly, CVE-2025-4598 targets systemd-coredump, the default handler on RHEL 9/10 and Fedora.

Here, an attacker can crash a SUID process and rapidly replace it with a non-SUID process, tricking systemd-coredump into granting access to the privileged core dump.

Proof-of-concept (PoC) code from Qualys demonstrates that the unix_chkpwd process, present by default on most Linux distributions, can be exploited in this manner to leak hashed passwords.

Example Mitigation Command

To temporarily disable SUID core dumps and block these attack vectors, administrators can execute:

bashecho 0 > /proc/sys/fs/suid_dumpable

This setting prevents all SUID programs from generating core dumps, closing the window for exploitation until official patches are deployed.

Affected Systems, Impact

Affected Versions:

• Apport (CVE-2025-5054): All Ubuntu releases from 16.04 to 24.04, with Apport versions up to 2.33.0, are vulnerable.
• systemd-coredump (CVE-2025-4598): Fedora 40/41, RHEL 9 and 10 are affected. Debian is not vulnerable by default, as it lacks a core-dump handler unless systemd-coredump is manually installed.

Potential Impact:

Attackers exploiting these vulnerabilities can extract sensitive information—password hashes, encryption keys, or proprietary data—from process memory.

This can lead to privilege escalation, lateral movement within networks, operational downtime, reputational harm, and regulatory non-compliance.

Mitigation and Patch Guidance:

• Immediate Mitigation: Set /proc/sys/fs/suid_dumpable to 0 to block SUID core dumps. This disables debugging for SUID programs but is an essential stopgap when patching is not immediately possible.
• Patching: Ubuntu, Red Hat, and Fedora have released or are preparing updates. Administrators should apply vendor patches as soon as available.
• Qualys TruRisk™ Eliminate: Organizations using Qualys Cloud Agent can leverage the TruRisk™ Eliminate module to automate mitigation deployment and streamline vulnerability management, reducing exposure time and operational risk.

Proactive Security: Lessons and Next Steps

These discoveries highlight the persistent risks in core-dump handling and the necessity of proactive vulnerability management.

While core dumps are invaluable for debugging, they also represent a high-value target for attackers due to the sensitive data they may contain.

Security teams are urged to prioritize patching, implement temporary mitigations, and use integrated risk management tools like Qualys TruRisk™ Eliminate to automate and accelerate their response.

As the threat landscape evolves, robust monitoring, access control, and rapid incident response remain critical for safeguarding enterprise Linux environments against emerging exploitation techniques.

The Qualys TRU advisories and mitigation scripts provide a blueprint for organizations to neutralize these vulnerabilities swiftly and effectively.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!