Full Report
Two local information disclosure flaws in Linux crash-reporting tools have been identified exposing system data to attackers
Analysis Summary
# Vulnerability: Information Disclosure in Linux Core Dump Handlers Exposing Password Hashes
## CVE Details
- CVE ID: CVE-2025-5054, CVE-2025-4598
- CVSS Score: Information not explicitly provided, but implied **High** due to password hash access.
- CWE: Not explicitly stated, likely related to Improper Access Control or Race Condition.
## Affected Systems
- Products: Apport (Ubuntu), systemd-coredump (RHEL, Fedora)
- Versions: Apport (on Ubuntu), systemd-coredump (RHEL 9, RHEL 10, Fedora 40/41)
- Configurations: systems running SUID programs where a crash occurs, allowing a local user to race the crash handler.
## Vulnerability Description
Two local information-disclosure vulnerabilities exist in Linux crash reporting tools (Apport and systemd-coredump). These are race condition flaws that allow a local, low-privileged user to exploit a SUID program crash. By racing the crash handler before it sanitizes the core dump, the attacker can read the contents of the core dump file. Since common utilities like `unix_chkpwd` (which handles password checks) may crash, their core dumps can contain sensitive data, including password hashes from `/etc/shadow`.
## Exploitation
- Status: PoC available (demonstrated to extract password hashes from `/etc/shadow`).
- Complexity: **Low** (requires local access and a race condition success).
- Attack Vector: **Local**
## Impact
- Confidentiality: **High** (Exposure of password hashes from `/etc/shadow`).
- Integrity: Low (No direct modification is implied, but derived from confidentiality impact).
- Availability: Low (No direct impact on system uptime).
## Remediation
### Patches
Specific patch versions are not listed in the provided text, but remediation requires updating the affected packages:
- **Apport** on Ubuntu systems.
- **systemd-coredump** on RHEL 9, RHEL 10, and Fedora 40/41 systems.
### Workarounds
1. **Preventing Core Dumps:** Temporarily restrict core dumps if immediate patching is impossible (though this may hinder debugging).
2. **Principle of Least Privilege:** Review and minimize the use of SUID binaries where possible.
3. **Monitor Crash Handlers:** Ensure that crash handlers are executed with minimal privileges immediately following a crash.
## Detection
- **Indicators of Compromise:** Look for unexpected file access or changes to core dump files immediately following process crashes, especially if these crashes involve SUID binaries.
- **Detection Methods and Tools:** Monitor system calls related to process crashing and core dump generation for abnormal initiation or timing by low-privileged local users. Detection should focus on the attempted race condition preceding the handler's execution.
## References
- Vendor advisories: Not explicitly listed/linked but implied through CVE assignment.
- Relevant links - defanged:
- hXXps://www.infosecurity-magazine.com/news/linux-vulnerabilities-expose/
- hXXps://www.infosecurity-magazine.com/news/new-linux-vulnerabilities-