Critical Linux Vulnerabilities: Disclosure Risks in Apport and systemd-coredump

TL;DR

Researchers have identified two critical vulnerabilities in Linux core dump handlers, Apport and systemd-coredump. These flaws, tracked as CVE-2025-5054 and CVE-2025-4598, allow local attackers to access sensitive data from core dumps of crashed SUID programs. Affected distributions include Ubuntu, Red Hat Enterprise Linux, and Fedora. Mitigation strategies include disabling core dumps for SUID programs and applying patches as soon as they are available.

Main Content

Qualys has issued a warning about two information disclosure vulnerabilities in Apport and systemd-coredump, the core dump handlers used in popular Linux distributions such as Ubuntu, Red Hat Enterprise Linux, and Fedora.

Vulnerability Overview

Researchers discovered vulnerabilities in Apport (Ubuntu’s core dump handler) and systemd-coredump, which is used in the default configuration of Red Hat Enterprise Linux 9 and Fedora.

• systemd-coredump: This tool captures “core dumps” (snapshots of a program’s memory) when an application crashes. These dumps can contain sensitive data, so access is restricted to root by default. It is used in many Linux distributions, including Fedora, RHEL 8+, SUSE, and Arch.

• Apport: Ubuntu’s built-in crash reporting tool collects details like stack traces, logs, and package info, creating a report for developers. These reports can sometimes include personal or system data.

Vulnerability Details

The Qualys Threat Research Unit (TRU) identified two local information-disclosure vulnerabilities:

• CVE-2025-5054: Affects Ubuntu’s core-dump handler, Apport.
• CVE-2025-4598: Targets systemd-coredump, the default core-dump handler on Red Hat Enterprise Linux 9 and 10, as well as Fedora.

Both vulnerabilities are race condition issues that allow local attackers to gain read access to core dumps of crashed SUID programs by quickly replacing the process before the system finishes analyzing it.

Impact and Exploitation

These vulnerabilities, with a CVSS score of 4.7, can be exploited to extract sensitive data such as password hashes from the /etc/shadow file. Qualys TRU demonstrated this by creating proof-of-concept exploits that target the unix_chkpwd process.

Affected Systems

• Apport: Vulnerable in Ubuntu 24.04 and all versions since 16.04 (up to version 2.33.0).
• systemd-coredump: Affected in Fedora 40/41, RHEL 9, and RHEL 10.

Debian is not vulnerable by default.

Mitigation Strategies

To prevent data leaks in crashes, set /proc/sys/fs/suid_dumpable to 0 to disable core dumps for SUID programs. This serves as a temporary fix until patches are available.

Conclusion

The exploitation of these vulnerabilities can compromise confidentiality, leading to operational downtime, reputational damage, and potential non-compliance with regulations. Enterprises should prioritize patches and mitigations, enforce robust monitoring, and tighten access controls to effectively manage these risks.

For more details, visit the full article: source

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Linux)

References