Qualys particulars CVE-2025-5054 and CVE-2025-4598, vital vulnerabilities affecting Linux crash reporting instruments like Apport and systemd-coredump. Learn to defend your Ubuntu, Purple Hat, and Fedora methods.
Cybersecurity specialists at Qualys have uncovered two important weaknesses in widespread Linux working methods. These info disclosure vulnerabilities, present in software program instruments referred to as Apport and systemd-coredump, may permit attackers to steal delicate info like password hashes from affected methods, reveals Qualys’ report shared with Hackread.com.
Understanding the Flaws
The Qualys Menace Analysis Unit (TRU) recognized these points as race-condition vulnerabilities. This implies an attacker can exploit a quick second in time when a program is dealing with knowledge to achieve unauthorized entry.
One vulnerability tracked as CVE-2025-5054 impacts Apport, which is Ubuntu’s built-in system for reporting crashes. This flaw happens as a result of a verify for detecting if a crashing course of was changed by one other course of in a container occurred too late. This might result in delicate info being despatched to the container, probably leaking it.
The second, CVE-2025-4598, targets systemd-coredump, an identical software serving because the default crash handler on Purple Hat Enterprise Linux 9 and 10, in addition to Fedora. This flaw permits an attacker to crash a SUID course of (a program that runs with particular permissions) and rapidly substitute it with an everyday program.
If the attacker wins this race, they will then learn the core dump of the unique SUID course of, getting access to delicate knowledge that was in its reminiscence, reminiscent of password hashes from the /and so forth/shadow file.
Each Apport and systemd-coredump are designed to create core dumps (snapshots of a program’s reminiscence when it crashes). These dumps are very helpful for builders attempting to repair software program issues. Nevertheless, they will additionally comprise personal info, reminiscent of passwords or encryption keys. Usually, entry to those recordsdata is restricted to forestall misuse.
In line with Qualy’s weblog put up, its TRU has created proofs of idea (POCs) exhibiting how an area attacker may use these vulnerabilities. Particularly, they’ve proven how an attacker may exploit a crashed program like unix_chkpwd (which checks consumer passwords) to steal password hashes from the /and so forth/shadow file, a vital system file containing consumer passwords.
“The exploitation of vulnerabilities in Apport and systemd-coredump can severely compromise the confidentiality at excessive threat, as attackers may extract delicate knowledge, like passwords, encryption keys, or buyer info from core dumps.”
Saeed Abbasi, Supervisor Product – Menace Analysis Unit, Qualys
Who’s Affected and Defend Your self
Many Linux methods are impacted by these newly found flaws. For Apport, all Ubuntu releases since 16.04 are weak, with variations as much as 2.33.0 being affected, together with the latest Ubuntu 24.04.
Conversely, for systemd-coredump, Fedora 40 and 41, together with Purple Hat Enterprise Linux 9 and the newly launched RHEL 10, are in danger. Debian methods are typically secure by default except systemd-coredump has been manually put in.
Exploiting these vulnerabilities may result in severe safety breaches, risking the confidentiality of delicate knowledge and probably inflicting system downtime or reputational harm for organizations.
To assist defend methods, Qualys recommends setting the /proc/sys/fs/suid_dumpable parameter to 0. This disables core dumps for applications that run with particular permissions, which might act as a brief repair if instant software program patches aren’t accessible. Qualys can be releasing new safety scan IDs (QIDs), reminiscent of QID 383314, to assist organizations detect these vulnerabilities.
Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based supplier of complete certificates lifecycle administration (CLM), advises treating crash administration as a safe knowledge pipeline, isolating or disabling dump processing, encrypting dumps, shredding knowledge post-triage, and tightening handler controls, to cut back threat and keep forward of future threats.
