Two crucial native information-disclosure vulnerabilities affecting thousands and thousands of Linux techniques worldwide, probably permitting attackers to extract delicate password information by means of core dump manipulation.
The Qualys Risk Analysis Unit (TRU) disclosed two race-condition vulnerabilities that focus on core dump handlers on main Linux distributions. The primary vulnerability, CVE-2025-5054, impacts Ubuntu’s Apport crash reporting system, whereas the second, CVE-2025-4598, impacts systemd-coredump, the default core dump handler used throughout Purple Hat Enterprise Linux 9 and 10, in addition to Fedora distributions.
Each vulnerabilities exploit race situations that permit native attackers to govern SUID (Set Person ID) applications and acquire unauthorized learn entry to ensuing core dumps.
Qualys researchers have developed proof-of-concept exploits demonstrating how attackers can goal the unix_chkpwd course of—a regular element for password verification put in by default on most Linux distributions to extract password hashes.
Core dump handlers like systemd-coredump and Apport routinely seize reminiscence snapshots when applications crash, creating potential goldmines of delicate info, together with passwords, encryption keys, and buyer information.
Whereas these instruments implement safety measures like limiting entry to root customers and storing dumps in safe places, the newly found race situations circumvent these protections.
Vital Linux Vulnerabilities Expose Password Hashes
The vulnerabilities have an effect on a broad vary of techniques. Ubuntu 24.04 and all Ubuntu releases since 16.04 are susceptible by means of Apport variations as much as 2.33.0.
In the meantime, Fedora 40/41 and Purple Hat Enterprise Linux 9 and 10 face publicity by means of systemd-coredump. Notably, Debian techniques stay protected by default since they don’t embrace core dump handlers except manually put in.
The potential affect extends past easy information publicity. Organizations face dangers of operational downtime, reputational harm, and regulatory compliance violations. The flexibility to extract password hashes may allow attackers to escalate privileges and transfer laterally throughout compromised networks.
Safety consultants advocate instantly implementing a crucial mitigation: setting the /proc/sys/fs/suid_dumpable parameter to 0. This configuration change disables core dumps for all SUID applications, successfully neutralizing the assault vector whereas organizations await official patches.
“Whereas this modification will disable some debugging capabilities for SUID applications and root daemons, it serves as a vital short-term repair when susceptible core dump handlers can’t be patched instantly,” safety researchers famous.
Qualys additionally developed totally examined mitigation scripts, permitting organizations to quickly neutralize the menace. Nevertheless, Qualys warns that broad implementation might introduce operational dangers and recommends thorough testing in managed environments.
This discovery underscores the crucial significance of proactive vulnerability administration and the necessity for sturdy mitigation methods when patches aren’t instantly obtainable.
Organizations ought to prioritize updating their core dump handlers whereas implementing the advisable short-term mitigations to guard towards potential exploitation.
Stay Credential Theft Assault Unmask & Immediate Protection – Free Webinar
