New Moderate Linux Flaw Allows Password Hash Theft Via Core Dumps in Ubuntu, RHEL, Fedora (thehackernews.com)
(Monday June 02, 2025 @03:34AM (EditorDavid)
from the getting-to-the-core dept.)
- Reference: 0177896729
- News link: https://it.slashdot.org/story/25/06/02/0140228/new-moderate-linux-flaw-allows-password-hash-theft-via-core-dumps-in-ubuntu-rhel-fedora
- Source link: https://thehackernews.com/2025/05/new-linux-flaws-allow-password-hash.html
An anonymous reader shared [1]this report from The Hacker News :
> Two information disclosure flaws have been identified in [2] apport and [3] systemd-coredump , the core dump handlers in Ubuntu, Red Hat Enterprise Linux, and Fedora, according to the Qualys Threat Research Unit (TRU).
>
> [4]Tracked as CVE-2025-5054 and CVE-2025-4598, both vulnerabilities are race condition bugs that could enable a local attacker to obtain access to access sensitive information. Tools like Apport and systemd-coredump are designed to handle crash reporting and core dumps in Linux systems. "These race conditions allow a local attacker to exploit a SUID program and [5]gain read access to the resulting core dump ," Saeed Abbasi, manager of product at Qualys TRU, said...
>
> Red Hat said CVE-2025-4598 has been rated Moderate in severity owing to the high complexity in pulling an exploit for the vulnerability, noting that the attacker has to first win the race condition and be in possession of an unprivileged local account... Qualys has also developed proof-of-concept code for both vulnerabilities, demonstrating how a local attacker can exploit the coredump of a crashed unix_chkpwd process, which is used to verify the validity of a user's password, to obtain password hashes from the /etc/shadow file.
Advisories were also issued by [6]Gentoo , [7]Amazon Linux , and [8]Debian , the article points out. (Though "It's worth noting that Debian systems aren't susceptible to CVE-2025-4598 by default, since they don't include any core dump handler unless the systemd-coredump package is manually installed.")
Canonical software security engineer Octavio Galland [9]explains the issue on Canonical's blog. "If a local attacker manages to induce a crash in a privileged process and quickly replaces it with another one with the same process ID that resides inside a mount and pid namespace, apport will attempt to forward the core dump (which might contain sensitive information belonging to the original, privileged process) into the namespace... In order to successfully carry out the exploit, an attacker must have permissions to create user, mount and pid namespaces with full capabilities."
> Canonical's security team has released updates for the apport package for all affected Ubuntu releases... We recommend you upgrade all packages... The unattended-upgrades feature is enabled by default for Ubuntu 16.04 LTS onwards. This service:
>
> - Applies new security updates every 24 hours automatically.
> - If you have this enabled, the patches above will be automatically applied within 24 hours of being available.
[1] https://thehackernews.com/2025/05/new-linux-flaws-allow-password-hash.html
[2] https://wiki.ubuntu.com/Apport
[3] https://www.freedesktop.org/software/systemd/man/latest/systemd-coredump.html
[4] https://www.openwall.com/lists/oss-security/2025/05/29/3
[5] https://blog.qualys.com/vulnerabilities-threat-research/2025/05/29/qualys-tru-discovers-two-local-information-disclosure-vulnerabilities-in-apport-and-systemd-coredump-cve-2025-5054-and-cve-2025-4598
[6] https://bugs.gentoo.org/show_bug.cgi?id=CVE-2025-4598
[7] https://explore.alas.aws.amazon.com/CVE-2025-4598.html
[8] https://security-tracker.debian.org/tracker/CVE-2025-4598
[9] https://ubuntu.com/blog/apport-local-information-disclosure-vulnerability-fixes-available
> Two information disclosure flaws have been identified in [2] apport and [3] systemd-coredump , the core dump handlers in Ubuntu, Red Hat Enterprise Linux, and Fedora, according to the Qualys Threat Research Unit (TRU).
>
> [4]Tracked as CVE-2025-5054 and CVE-2025-4598, both vulnerabilities are race condition bugs that could enable a local attacker to obtain access to access sensitive information. Tools like Apport and systemd-coredump are designed to handle crash reporting and core dumps in Linux systems. "These race conditions allow a local attacker to exploit a SUID program and [5]gain read access to the resulting core dump ," Saeed Abbasi, manager of product at Qualys TRU, said...
>
> Red Hat said CVE-2025-4598 has been rated Moderate in severity owing to the high complexity in pulling an exploit for the vulnerability, noting that the attacker has to first win the race condition and be in possession of an unprivileged local account... Qualys has also developed proof-of-concept code for both vulnerabilities, demonstrating how a local attacker can exploit the coredump of a crashed unix_chkpwd process, which is used to verify the validity of a user's password, to obtain password hashes from the /etc/shadow file.
Advisories were also issued by [6]Gentoo , [7]Amazon Linux , and [8]Debian , the article points out. (Though "It's worth noting that Debian systems aren't susceptible to CVE-2025-4598 by default, since they don't include any core dump handler unless the systemd-coredump package is manually installed.")
Canonical software security engineer Octavio Galland [9]explains the issue on Canonical's blog. "If a local attacker manages to induce a crash in a privileged process and quickly replaces it with another one with the same process ID that resides inside a mount and pid namespace, apport will attempt to forward the core dump (which might contain sensitive information belonging to the original, privileged process) into the namespace... In order to successfully carry out the exploit, an attacker must have permissions to create user, mount and pid namespaces with full capabilities."
> Canonical's security team has released updates for the apport package for all affected Ubuntu releases... We recommend you upgrade all packages... The unattended-upgrades feature is enabled by default for Ubuntu 16.04 LTS onwards. This service:
>
> - Applies new security updates every 24 hours automatically.
> - If you have this enabled, the patches above will be automatically applied within 24 hours of being available.
[1] https://thehackernews.com/2025/05/new-linux-flaws-allow-password-hash.html
[2] https://wiki.ubuntu.com/Apport
[3] https://www.freedesktop.org/software/systemd/man/latest/systemd-coredump.html
[4] https://www.openwall.com/lists/oss-security/2025/05/29/3
[5] https://blog.qualys.com/vulnerabilities-threat-research/2025/05/29/qualys-tru-discovers-two-local-information-disclosure-vulnerabilities-in-apport-and-systemd-coredump-cve-2025-5054-and-cve-2025-4598
[6] https://bugs.gentoo.org/show_bug.cgi?id=CVE-2025-4598
[7] https://explore.alas.aws.amazon.com/CVE-2025-4598.html
[8] https://security-tracker.debian.org/tracker/CVE-2025-4598
[9] https://ubuntu.com/blog/apport-local-information-disclosure-vulnerability-fixes-available
Mitigation (Score:2)
by Vomitgod ( 6659552 )
as per openwall.com -
To mitigate these vulnerabilities, /proc/sys/fs/suid_dumpable can be set
to 0 (SUID_DUMP_DISABLE, "No setuid dumping").
This prevents all SUID programs and root daemons that drop privileges from being analysed in
case of a crash, but it can act as a temporary fix if the vulnerable
core-dump handler itself cannot be patched immediately.
BETTER Mitigation (Score:2)
by storkus ( 179708 )
Thank $DIETY that I use SystemD-free Slackware!
*ducks & pulls down asbestos suit hood*
A-Z (Score:4, Funny)
If you can do A and B while C and D if E and F but not G to H when I is J then maybe K will hit L until M, N, and O do P which allows you possible access to Q which if R and S are T then U might be able to V as long as W isn't X then you have a slight chance that Y will allow partial access to Z.
Re: (Score:3)
Spoken as a true man of letters.