InfoSecBulletin Cybersecurity for mankind
The Qualys Threat Research Unit (TRU) found two local information-disclosure vulnerabilities in Apport and systemd-coredump. Both issues are race-condition vulnerabilities. CVE-2025-5054 affects Ubuntu’s core-dump handler, Apport, while CVE-2025-4598 targets systemd-coredump, the default core-dump handler on Red Hat Enterprise Linux 9 and 10, as well as Fedora. These vulnerabilities allow a local attacker to exploit a SUID program to gain read access to the core dump.
Qualys TRU created proofs of concept (POCs) for specific operating systems to show how local attackers can exploit a crashed unix_chkpwd process. This process, which is found on most Linux distributions, can allow attackers to access password hashes from the /etc/shadow file.
Hackers Bypass Gmail MFA With App-Specific Password Reuse
Russia detects first SuperCard malware attacks via NFC
Income Property Investments exposes 170,000+ Individuals record
ALERT (CVE: 2023-28771)
Zyxel Firewalls Under Attack via CVE-2023-28771 by 244 IPs
CISA Flags Active Exploits in Apple iOS and TP-Link Routers
10K Records Allegedly from Mac Cloud Provider’s Customers Leaked Online
Canada 2nd largest airlines “WestJet” investigates cyberattack disrupting internal systems
Paraguay 7.4 Million Citizen Records Leaked on Dark Web
High-Severity Flaw in HashiCorp Nomad Allows Privilege Escalation
SoftBank: Over 137,000 personal info leaked
A brief description of the two flaws is below:
CVE-2025-5054 (CVSS score: 4.7): A race condition in Canonical apport package up to and including 2.32.0 that allows a local attacker to leak sensitive information via PID-reuse by leveraging namespaces
CVE-2025-4598 (CVSS score: 4.7): A race condition in systemd-coredump that allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original’s privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process
Potential Impact:
Tools like Apport and systemd-coredump for crash reporting in Linux have historically had vulnerabilities that pose security risks to enterprises. Although modern measures—like sending core dumps to secure locations and enforcing strict PID validation—have lessened these risks, outdated or unpatched systems are still vulnerable, as highlighted by recent disclosures from Qualys TRU.
Exploiting vulnerabilities in Apport and systemd-coredump can compromise confidentiality by letting attackers access sensitive data like passwords and encryption keys from core dumps. This can result in operational downtime, reputational damage, and regulatory issues. To mitigate these risks, companies should prioritize security by implementing timely patches, strict monitoring, and enhanced access controls.
Affected Versions:
For Apport, Ubuntu 24.04 is vulnerable; versions of “Apport” up to 2.33.0 are affected, and every Ubuntu release since 16.04 is impacted.
For systemd-coredump, Fedora 40/41, and Red Hat Enterprise Linux 9, and the recently released RHEL 10 are vulnerable.
Debian systems aren’t vulnerable by default, since they don’t include any core-dump handler unless the user manually installs the systemd-coredump package.
Steps to Mitigate Risk:
The /proc/sys/fs/suid_dumpable parameter controls whether SUID programs can produce core dumps on crash. If left enabled, an attacker could trigger a crash to dump sensitive in-memory data (password hashes, keys) to disk. To mitigate these vulnerabilities, setting it to 0 disables core dumps for all SUID programs, prevents all SUID programs and root daemons that drop privileges from being analyzed in case of a crash, but it can act as a temporary fix if the vulnerable core-dump handler itself cannot be patched immediately. This modification will disable the interpreter scanning feature.
To disable core dumps for SUID, set /proc/sys/fs/suid_dumpable to 0 by using root privileges. click here for technical details.
