Critical Flaws in Linux Crash Handlers Expose Password Hashes

Critical Vulnerabilities Found in Linux Crash Handlers Could Expose Sensitive System Data

Qualys Threat Research Unit (TRU) has disclosed two critical information disclosure vulnerabilities—CVE-2025-5054 and CVE-2025-4598—affecting crash-reporting tools in widely used Linux distributions including Ubuntu, Red Hat Enterprise Linux (RHEL), and Fedora. These flaws could allow local attackers to exploit race conditions and extract sensitive data like password hashes from core dumps.

Understanding the Vulnerabilities

The two vulnerabilities are found in:

• Apport, Ubuntu’s default crash reporter (CVE-2025-5054)
• systemd-coredump, the default crash handler on Red Hat and Fedora (CVE-2025-4598)

Both tools are designed to collect memory snapshots (core dumps) of crashed programs to aid developers in debugging. However, core dumps often contain sensitive data—passwords, encryption keys, and other secrets—making unauthorized access a serious threat.

Breakdown of Each Vulnerability

🔹 CVE-2025-5054 – Apport (Ubuntu)

This vulnerability stems from a race condition during crash reporting. Apport checks whether the crashing process has been replaced in a container environment, but it performs this validation too late. As a result, sensitive crash data may be redirected into a malicious container, leaking information to unauthorized users.

• Affected systems: All Ubuntu releases since 16.04, including Ubuntu 24.04
• Apport versions up to 2.33.0 are vulnerable

🔹 CVE-2025-4598 – systemd-coredump (RHEL & Fedora)

This flaw impacts Red Hat Enterprise Linux 9 and 10, and Fedora 40 and 41. It allows attackers to crash a SUID process (one running with elevated privileges), then quickly replace it with a benign process under their control.

If the attacker wins the race, they can capture and read the core dump of the original privileged process, potentially extracting sensitive information, such as the contents of /etc/shadow—Linux’s password hash file.

• Debian systems are unaffected by default, unless systemd-coredump is manually enabled.

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Proof of Concept (PoC) and Real-World Risk

Qualys demonstrated a working PoC for both vulnerabilities, showing how a local attacker could exploit tools like unix_chkpwd to extract shadow file hashes from a crash dump. This exposes critical infrastructure to confidentiality breaches, system compromise, and privilege escalation.

“The exploitation of vulnerabilities in Apport and systemd-coredump can severely compromise confidentiality, as attackers could extract sensitive data like passwords, encryption keys, or customer information from core dumps.”
— Saeed Abbasi, Manager of Product, TRU at Qualys

Mitigation & Recommendations

While patches are expected, immediate mitigations are advised:

✅ Temporary Mitigation (All Systems)

Set the kernel parameter:

🧩 Detection and Monitoring

Qualys has released a detection rule:
QID 383314 – to help organizations scan systems for vulnerable versions.

🔐 Long-Term Recommendations:

• Isolate crash dump pipelines from user-level processes.
• Encrypt core dumps at rest.
• Shred or securely delete core dumps after analysis.
• Use access controls to restrict handler privileges.

“Crash reporting must be treated as a secure data pipeline—isolated, encrypted, and tightly controlled,” said Jason Soroko, Senior Fellow at Sectigo. “Failure to do so exposes organizations to silent data leaks and elevated risks.”

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: hackread.com

Source Link