Article Details

New Linux Flaws Allow Password Hash Theft via Core Dumps in Ubuntu, RHEL, Fedora. Two information disclosure flaws have been identified in apport and systemd-coredump, the core dump handlers in Ubuntu, Red Hat Enterprise Linux, and Fedora, according to the Qualys Threat Research Unit (TRU). Tracked as CVE-2025-5054 and CVE-2025-4598, both vulnerabilities are race condition bugs that could enable a local attacker to obtain access to access sensitive information. Tools like Apport and systemd-coredump are designed to handle crash reporting and core dumps in Linux systems. "These race conditions allow a local attacker to exploit a SUID program and gain read access to the resulting core dump," Saeed Abbasi, manager of product at Qualys TRU, said. A brief description of the two flaws is below - SUID, short for Set User ID, is a special file permission that allows a user to execute a program with the privileges of its owner, rather than their own permissions. "When analyzing application crashes, apport attempts to detect if the crashing process was running inside a container before performing consistency checks on it," Canonical's Octavio Galland said. "This means that if a local attacker manages to induce a crash in a privileged process and quickly replaces it with another one with the same process ID that resides inside a mount and pid namespace, apport will attempt to forward the core dump (which might contain sensitive information belonging to the original, privileged process) into the namespace." Red Hat said CVE-2025-4598 has been rated Moderate in severity owing to the high complexity in pulling an exploit for the vulnerability, noting that the attacker has to first the race condition and be in possession of an unprivileged local account. As mitigations, Red Hat said users can run the command "echo 0 > /proc/sys/fs/suid_dumpable" as a root user to disable the ability of a system to generate a core dump for SUID binaries. The "/proc/sys/fs/suid_dumpable" parameter essentially controls whether SUID programs can produce core dumps on the crash. By setting it to zero, it disables core dumps for all SUID programs and prevents them from being analyzed in the event of a crash. "While this mitigates this vulnerability while it's not possible to update the systemd package, it disables the capability of analyzing crashes for such binaries," Red Hat said. Similar advisories have been issued by Amazon Linux, Debian, and Gentoo. It's worth noting that Debian systems aren't susceptible to CVE-2025-4598 by default, since they don't include any core dump handler unless the systemd-coredump package is manually installed. CVE-2025-4598 does not affect Ubuntu releases. Qualys has also developed proof-of-concept (PoC) code for both vulnerabilities, demonstrating how a local attacker can exploit the coredump of a crashed unix_chkpwd process, which is used to verify the validity of a user's password, to obtain password hashes from the /etc/shadow file. Canonical, in an alert of its own, said the impact of CVE-2025-5054 is restricted to the confidentiality of the memory space of invoked SUID executables and that the PoC exploit can leak hashed user passwords has limited real-world impact. "The exploitation of vulnerabilities in Apport and systemd-coredump can severely compromise the confidentiality at high risk, as attackers could extract sensitive data, like passwords, encryption keys, or customer information from core dumps," Abbasi said. "The fallout includes operational downtime, reputational damage, and potential non-compliance with regulations. To mitigate these multifaceted risks effectively, enterprises should adopt proactive security measures by prioritizing patches and mitigations, enforcing robust monitoring, and tightening access controls."