Two newly discovered vulnerabilities in Linux core dump handlers, identified as CVE-2025-5054 and CVE-2025-4598, pose significant risks to Ubuntu, Red Hat Enterprise Linux (RHEL), and Fedora systems.
These race condition flaws, uncovered by the Qualys Threat Research Unit, could allow local attackers to access sensitive data, such as password hashes from the /etc/shadow file, by exploiting core dumps of SUID programs.
The vulnerabilities affect Apport, Ubuntu’s crash-reporting tool, and systemd-coredump, used in RHEL 9, RHEL 10, and Fedora 40/41. With proof-of-concept exploits publicly available, Linux administrators are urged to apply patches and mitigations to safeguard system confidentiality.
Vulnerability Details: CVE-2025-5054 and CVE-2025-4598
The vulnerabilities stem from race conditions in the processes that handle core dumps. CVE-2025-5054, with a CVSS score of 4.7, affects Ubuntu’s Apport package up to version 2.32.0. It allows a local attacker with user namespace permissions to exploit a crash in a privileged SUID process, redirecting its core dump into a namespace to access sensitive data. CVE-2025-4598, also rated 4.7, targets systemd-coredump in RHEL 9, RHEL 10, and Fedora.
It enables an attacker to crash an SUID process, replace it with a non-SUID binary, and access the original process’s core dump, potentially exposing password hashes or encryption keys. Debian systems are unaffected by CVE-2025-4598 unless systemd-coredump is manually installed, and Ubuntu is not impacted by CVE-2025-4598.
ALSO READ | White House Probes Hack of Chief of Staff Susie Wiles’ Phone in Sophisticated Cyberattack
Exploitation and Impact
Both vulnerabilities exploit SUID programs, which run with the privileges of their owner rather than the user executing them. By inducing a crash in a process like unix_chkpwd, used for password verification, attackers can access core dumps containing sensitive in-memory data. Qualys demonstrated this through proof-of-concept exploits, showing how attackers could extract /etc/shadow password hashes.
While the CVSS score of 4.7 indicates moderate severity due to the high complexity of exploitation, requiring local access and precise timing, the potential compromise of hashed passwords or other sensitive data poses significant risks. Enterprises face threats of operational downtime, reputational damage, and regulatory non-compliance if these vulnerabilities are exploited.
Did You Know?
Core dumps, while essential for debugging, can inadvertently store up to 80% of a process’s memory, including sensitive data like encryption keys, if not properly restricted.
Mitigation Strategies
To address these vulnerabilities, Canonical has released updates for the Apport package across all affected Ubuntu releases, urging users to update promptly. Red Hat recommends applying patches for systemd-coredump in RHEL 9 and 10, as well as Fedora 40 and 41. As a temporary mitigation, administrators can disable core dumps for SUID programs by running the command “echo 0 > /proc/sys/fs/suid_dumpable” as root.
This action disables the suid_dumpable parameter, which prevents core dumps from SUID binaries; however, it may hinder crash analysis for privileged processes. Amazon Linux, Debian, and Gentoo have issued similar advisories, with Debian noting its systems are not vulnerable to CVE-2025-4598 by default. Regular monitoring and access control enforcement are also critical to reducing risks.
Comments (0)
Please sign in to leave a comment
No comments yet. Be the first to share your thoughts!