Might 31, 2025Ravie LakshmananVulnerability / Linux
Two info disclosure flaws have been recognized in apport and systemd-coredump, the core dump handlers in Ubuntu, Crimson Hat Enterprise Linux, and Fedora, in line with the Qualys Menace Analysis Unit (TRU).
Tracked as CVE-2025-5054 and CVE-2025-4598, each vulnerabilities are race situation bugs that would allow an area attacker to acquire entry to entry delicate info. Instruments like Apport and systemd-coredump are designed to deal with crash reporting and core dumps in Linux methods.
“These race situations enable an area attacker to take advantage of a SUID program and achieve learn entry to the ensuing core dump,” Saeed Abbasi, supervisor of product at Qualys TRU, stated.
A quick description of the 2 flaws is beneath –
CVE-2025-5054 (CVSS rating: 4.7) – A race situation in Canonical apport bundle as much as and together with 2.32.0 that enables an area attacker to leak delicate info through PID-reuse by leveraging namespaces
CVE-2025-4598 (CVSS rating: 4.7) – A race situation in systemd-coredump that enables an attacker to pressure a SUID course of to crash and change it with a non-SUID binary to entry the unique’s privileged course of coredump, permitting the attacker to learn delicate information, akin to /and so forth/shadow content material, loaded by the unique course of
SUID, quick for Set Person ID, is a particular file permission that enables a consumer to execute a program with the privileges of its proprietor, relatively than their very own permissions.
“When analyzing utility crashes, apport makes an attempt to detect if the crashing course of was operating inside a container earlier than performing consistency checks on it,” Canonical’s Octavio Galland stated.
“Which means if an area attacker manages to induce a crash in a privileged course of and rapidly replaces it with one other one with the identical course of ID that resides inside a mount and pid namespace, apport will try and ahead the core dump (which could comprise delicate info belonging to the unique, privileged course of) into the namespace.”
Crimson Hat stated CVE-2025-4598 has been rated Reasonable in severity owing to the excessive complexity in pulling an exploit for the vulnerability, noting that the attacker has to first the race situation and be in possession of an unprivileged native account.
As mitigations, Crimson Hat stated customers can run the command “echo 0 > /proc/sys/fs/suid_dumpable” as a root consumer to disable the flexibility of a system to generate a core dump for SUID binaries.
The “/proc/sys/fs/suid_dumpable” parameter primarily controls whether or not SUID packages can produce core dumps on the crash. By setting it to zero, it disables core dumps for all SUID packages and prevents them from being analyzed within the occasion of a crash.
“Whereas this mitigates this vulnerability whereas it is not attainable to replace the systemd bundle, it disables the aptitude of analyzing crashes for such binaries,” Crimson Hat stated.
Related advisories have been issued by Amazon Linux, Debian, and Gentoo. It is value noting that Debian methods aren’t vulnerable to CVE-2025-4598 by default, since they do not embody any core dump handler until the systemd-coredump bundle is manually put in. CVE-2025-4598 doesn’t have an effect on Ubuntu releases.
Qualys has additionally developed proof-of-concept (PoC) code for each vulnerabilities, demonstrating how an area attacker can exploit the coredump of a crashed unix_chkpwd course of, which is used to confirm the validity of a consumer’s password, to acquire password hashes from the /and so forth/shadow file.
Canonical, in an alert of its personal, stated the impression of CVE-2025-5054 is restricted to the confidentiality of the reminiscence house of invoked SUID executables and that the PoC exploit can leak hashed consumer passwords has restricted real-world impression.
“The exploitation of vulnerabilities in Apport and systemd-coredump can severely compromise the confidentiality at excessive threat, as attackers may extract delicate information, like passwords, encryption keys, or buyer info from core dumps,” Abbasi stated.
“The fallout contains operational downtime, reputational harm, and potential non-compliance with rules. To mitigate these multifaceted dangers successfully, enterprises ought to undertake proactive safety measures by prioritizing patches and mitigations, imposing sturdy monitoring, and tightening entry controls.”
Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.
