InfoSecBulletin Cybersecurity for mankind
The Qualys Threat Research Unit (TRU) found two local information-disclosure vulnerabilities in Apport and systemd-coredump. Both issues are race-condition vulnerabilities. CVE-2025-5054 affects Ubuntu’s core-dump handler, Apport, while CVE-2025-4598 targets systemd-coredump, the default core-dump handler on Red Hat Enterprise Linux 9 and 10, as well as Fedora. These vulnerabilities allow a local attacker to exploit a SUID program to gain read access to the core dump.
Qualys TRU created proofs of concept (POCs) for specific operating systems to show how local attackers can exploit a crashed unix_chkpwd process. This process, which is found on most Linux distributions, can allow attackers to access password hashes from the /etc/shadow file.
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
A brief description of the two flaws is below:
CVE-2025-5054 (CVSS score: 4.7): A race condition in Canonical apport package up to and including 2.32.0 that allows a local attacker to leak sensitive information via PID-reuse by leveraging namespaces
CVE-2025-4598 (CVSS score: 4.7): A race condition in systemd-coredump that allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original’s privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process
Potential Impact:
Tools like Apport and systemd-coredump for crash reporting in Linux have historically had vulnerabilities that pose security risks to enterprises. Although modern measures—like sending core dumps to secure locations and enforcing strict PID validation—have lessened these risks, outdated or unpatched systems are still vulnerable, as highlighted by recent disclosures from Qualys TRU.
Exploiting vulnerabilities in Apport and systemd-coredump can compromise confidentiality by letting attackers access sensitive data like passwords and encryption keys from core dumps. This can result in operational downtime, reputational damage, and regulatory issues. To mitigate these risks, companies should prioritize security by implementing timely patches, strict monitoring, and enhanced access controls.
Affected Versions:
For Apport, Ubuntu 24.04 is vulnerable; versions of “Apport” up to 2.33.0 are affected, and every Ubuntu release since 16.04 is impacted.
For systemd-coredump, Fedora 40/41, and Red Hat Enterprise Linux 9, and the recently released RHEL 10 are vulnerable.
Debian systems aren’t vulnerable by default, since they don’t include any core-dump handler unless the user manually installs the systemd-coredump package.
Steps to Mitigate Risk:
The /proc/sys/fs/suid_dumpable parameter controls whether SUID programs can produce core dumps on crash. If left enabled, an attacker could trigger a crash to dump sensitive in-memory data (password hashes, keys) to disk. To mitigate these vulnerabilities, setting it to 0 disables core dumps for all SUID programs, prevents all SUID programs and root daemons that drop privileges from being analyzed in case of a crash, but it can act as a temporary fix if the vulnerable core-dump handler itself cannot be patched immediately. This modification will disable the interpreter scanning feature.
To disable core dumps for SUID, set /proc/sys/fs/suid_dumpable to 0 by using root privileges. click here for technical details.
