FlagThis

Two new information disclosure vulnerabilities have been identified in Linux systems, specifically affecting Ubuntu, Red Hat Enterprise Linux, and Fedora distributions. These flaws reside in the core dump handlers 'apport' (CVE-2025-5054) and 'systemd-coredump' (CVE-2025-4598). The vulnerabilities are characterized as race condition bugs, which could be exploited by a local attacker to gain unauthorized access to sensitive information. Successful exploitation could lead to the exposure of critical data, including password hashes, through the manipulation of core dumps generated during system crashes.

Qualys Threat Research Unit (TRU) discovered that Apport incorrectly handled metadata when processing application crashes. This allows an attacker to induce a crash in a privileged process and quickly replace it with another process with the same process ID inside a mount and pid namespace. Apport will then attempt to forward the core dump, potentially containing sensitive information from the original privileged process, into the namespace. Similarly, systemd-coredump has a race condition that allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original’s privileged process coredump.

Both vulnerabilities have been assigned a CVSS score of 4.7, indicating a medium severity level. Red Hat has rated CVE-2025-4598 as Moderate due to the high complexity involved in successfully exploiting the flaw. To mitigate the risk, users can disable core dump generation for SUID binaries by running the command "echo 0 > /proc/sys/fs/suid_dumpable" as root. Canonical has released updates for the apport package for all affected Ubuntu releases, addressing CVE-2025-5054, and users are advised to update their systems as soon as possible.


References :

• securityaffairs.com: Two Linux flaws can lead to the disclosure of sensitive data
• The Hacker News: New Linux Flaws Allow Password Hash Theft via Core Dumps in Ubuntu, RHEL, Fedora
• Ubuntu security notices: USN-7545-1: Apport vulnerability Qualys discovered that Apport incorrectly handled metadata when processing application crashes.
• Open Source Security: Local information disclosure in apport and systemd-coredump
• Planet Ubuntu: Ubuntu Blog: Apport local information disclosure vulnerability fixes available
• ciso2ciso.com: Two Linux flaws can lead to the disclosure of sensitive data – Source: securityaffairs.com
• ciso2ciso.com: Two Linux flaws can lead to the disclosure of sensitive data – Source: securityaffairs.com Source: securityaffairs.com – Author: Pierluigi Paganini
• www.qualys.com: Qualys discovers local information disclosure vulnerabilities in apport and systemd-coredump
• hackread.com: Linux Crash Reporting Flaws (CVE-2025-5054, 4598) Expose Password Hashes
• Davey Winder: Linux Passwords Warning — 2 Critical Vulnerabilities, Millions At Risk
• Schneier on Security: They’re : Tracked as , both vulnerabilities are race condition bugs that could enable a local attacker to obtain access to access sensitive information. Tools like Apport and systemd-coredump are designed to handle crash reporting and core dumps in Linux systems.
• Full Disclosure: Qualys Security Advisory Local information disclosure in apport and systemd-coredump (CVE-2025-5054 and CVE-2025-4598)
• blog.qualys.com: New #Linux race condition flaws let attackers steal password hashes from core dumps. Set suid_dumpable=0, patch apport/systemd-coredump, monitor crashes. Affects #Ubuntu #RHEL and #Fedora
• Open Source Security: Re: Local information disclosure in apport and systemd-coredump
• Security Risk Advisors: Linux Core Dump Handlers in Ubuntu, RHEL, Fedora Leak Password Hashes via Race Condition

Classification:

• HashTags: #Linux #Vulnerability #InformationDisclosure
• Company: Qualys
• Target: Linux Systems
• Product: Linux
• Feature: Core Dump Handling
• Malware: apport, systemd-coredump
• Type: Vulnerability
• Severity: Medium