CyberSecurity news
FlagThis - #qualys
|
@www.openwall.com
//
Two new information disclosure vulnerabilities have been identified in Linux systems, specifically affecting Ubuntu, Red Hat Enterprise Linux, and Fedora distributions. These flaws reside in the core dump handlers 'apport' (CVE-2025-5054) and 'systemd-coredump' (CVE-2025-4598). The vulnerabilities are characterized as race condition bugs, which could be exploited by a local attacker to gain unauthorized access to sensitive information. Successful exploitation could lead to the exposure of critical data, including password hashes, through the manipulation of core dumps generated during system crashes.
Qualys Threat Research Unit (TRU) discovered that Apport incorrectly handled metadata when processing application crashes. This allows an attacker to induce a crash in a privileged process and quickly replace it with another process with the same process ID inside a mount and pid namespace. Apport will then attempt to forward the core dump, potentially containing sensitive information from the original privileged process, into the namespace. Similarly, systemd-coredump has a race condition that allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original’s privileged process coredump. Both vulnerabilities have been assigned a CVSS score of 4.7, indicating a medium severity level. Red Hat has rated CVE-2025-4598 as Moderate due to the high complexity involved in successfully exploiting the flaw. To mitigate the risk, users can disable core dump generation for SUID binaries by running the command "echo 0 > /proc/sys/fs/suid_dumpable" as root. Canonical has released updates for the apport package for all affected Ubuntu releases, addressing CVE-2025-5054, and users are advised to update their systems as soon as possible.
Share:
References :
Classification:
@blog.qualys.com
//
A new fileless malware campaign is deploying the Remcos RAT (Remote Access Trojan) using a PowerShell-based shellcode loader, highlighting the evolving tactics of cybercriminals. The attack begins with malicious LNK files embedded within ZIP archives, often disguised as legitimate Office documents to entice users into opening them. Upon execution, the attack chain leverages mshta.exe, a legitimate Microsoft tool, for proxy execution, allowing it to bypass traditional antivirus and endpoint defenses by running HTML Applications (HTA).
The mshta.exe then executes an obfuscated HTA file hosted on a remote server, which contains Visual Basic Script code designed to download a PowerShell script, a decoy PDF file, and another HTA file. Critically, the HTA file also configures Windows Registry modifications to ensure that the downloaded HTA file is automatically launched upon system startup, guaranteeing persistence. Once the PowerShell script is executed, it reconstructs a shellcode loader that ultimately launches the Remcos RAT payload entirely in memory. This fileless technique, where malicious code operates directly in the computer's memory, allows the malware to evade many traditional security solutions that rely on disk-based detection. Remcos RAT grants attackers full control over compromised systems, allowing for cyber espionage and data theft through features like keylogging, screenshot capture, and clipboard monitoring. The RAT establishes a TLS connection to a command-and-control server for persistent communication, enabling data exfiltration and remote control.
Share:
References :
Classification:
@itpro.com
//
Qualys security researchers have uncovered three bypasses in Ubuntu Linux's unprivileged user namespace restrictions, a security feature intended to reduce the attack surface. These bypasses, present in Ubuntu versions 23.10 and 24.04, could enable a local attacker to gain full administrative capabilities. The unprivileged user namespace restrictions were designed to provide security isolation for applications, however, the newly discovered flaws create a weak spot that attackers can exploit.
The bypasses allow a local attacker to create user namespaces with full administrator capabilities. One method involves exploiting the aa-exec tool, while another utilizes Busybox. A third involves LD_PRELOADing a shell into programs with AppArmor profiles. Successful exploitation could allow attackers to bypass security measures, exploit vulnerabilities in kernel components, and potentially gain full system access. Ubuntu was notified of the vulnerabilities on January 15, 2025.
Share:
References :
Classification:
|