- Two information disclosure vulnerabilities were found in Apport and core-dump handler
- They affect Ubuntu, Fedora, and Red Hat
- Mitigations are available, so users are advised to take a look
Cybersecurity researchers from Qualys have discovered two information disclosure vulnerabilities plaguing different Linux distros.
The flaws, both of which are race condition bugs, allow threat actors to gain access to sensitive information.
The first one is found in Ubuntu’s core dump-handler, Apport, and is tracked as CVE-2025-5054. The second one is found in the default core-dump handler on Red Hat Enterprise Linux 9 and 10, as well as on Fedora. It is tracked as CVE-2025-4598.
Triggering a crash
Apport is an error reporting tool in Ubuntu that automatically collects crash data and system information, while systemd-coredump captures and stores core dumps of crashed processes for later debugging and analysis.
As Qualys explained, for Apport – Ubuntu 24.04 is vulnerable. Versions up to 2.33.0 are affected, as well as every Ubuntu release since 16.04. For systemd-coredump, Fedora 40/41, and Red Hat Enterprise Linux 9, and the recently released RHEL 10 are all vulnerable. Debian systems aren’t vulnerable by default, Qualys added, since they don’t include any core-dump handlers.
In theory, an attacker could trigger a crash in a privileged process and then quickly replace the crashed process before the core-dump handler intervenes.
That way, the attackers could access the core dump which could include sensitive information, such as passwords.
What’s more, since systemd-coredump does not properly validate the kernel’s per-process “dumpable” flag, a threat actor could crash root daemons that for and set UID to their own user ID. That way, they could read sensitive memory from critical processes.
Qualys developed a proof-of-concept (PoC) for both vulnerabilities, and said that to mitigate the vulnerabilities, system administrators should make sure core dumps are securely stored, implement strict PID validation, and enforce restrictions on accessing SUID/SGID core files.
More details about potential mitigations, and which commands to run to secure the infrastructure, can be found on this link.
Via The Hacker News
