Cybersecurity researchers have identified two significant vulnerabilities in widely used Linux distributions, specifically impacting Ubuntu, Red Hat Enterprise Linux (RHEL), and Fedora. A local attacker could use these flaws to steal sensitive information, including user password hashes, which are crucial for system security.

To understand these vulnerabilities, one should first understand “Core Dumps”.

A core dump file is created by the operating system when a program on a Linux system crashes or terminates unexpectedly. Developers use core dumps to debug software and understand why a program failed. While useful for diagnostics, core dumps can contain sensitive data, including parts of the program’s memory that might hold passwords, encryption keys, or other confidential information. Linux systems use specific handlers, like Apport (in Ubuntu) and systemd-coredump (in RHEL and Fedora), to manage these crash reports and core dumps.

The Discovered Vulnerabilities: Race Conditions in Core Dump Handlers

The newly identified flaws are:

CVE-2025-5054 (CVSS score: 4.7): This vulnerability affects Ubuntu’s Apportpackage. It is race condition bug.
CVE-2025-4598 (CVSS score: 4.7): This vulnerability impacts systemd-coredump, used in Red Hat Enterprise Linux and Fedora. It is also a race condition bug.

Both CVEs have a CVSS score of 4.7, indicating a Moderate severity. However, their impact on confidentiality is high. The primary risk is the theft of password hashes from the /etc/shadow file, which stores encrypted user passwords.

What is a race condition?

A race condition can create a small window where an attacker can interfere with the sequence of multiple operations or processes trying to access and modify shared data at the same time, and the outcome depends on which operation finishes first, leading to unintended and potentially harmful results. In the context of these Linux flaws, the race condition allows a local attacker (someone who already has limited access to the system) to exploit a program that runs with elevated permissions (a “SUID program”). When such a program crashes, the core dump handler steps in. The race condition allows the attacker to manipulate the timing, gaining unauthorized read access to the resulting core dump file. This core dump can then expose sensitive data from the crashed privileged process.

Affected Systems

Ubuntu: Apport package, affecting Ubuntu 24.04 and every Ubuntu release since 16.04.
Red Hat Enterprise Linux (RHEL): RHEL 9 and the recently released RHEL 10 are vulnerable via systemd-coredump. RHEL 7 and 8 are not affected as they use abrt.
Fedora: Fedora 40 and 41 are vulnerable via systemd-coredump.
Debian systems are not vulnerable to CVE-2025-4598 by default unless systemd-coredump is manually installed. CVE-2025-4598 does not affect Ubuntu releases.

What Can Be Done?

System administrators should act immediately. The best defense is to apply official patchesfrom Ubuntu, Red Hat, and Fedora as soon as they are available. Until then, consider disabling core dumps for SUID binaries by running echo 0 > /proc/sys/fs/suid_dumpable as root. Be aware that this might affect debugging. Also, limit access to core dump directories(e.g., /var/lib/systemd/coredump), monitor local user activity, and review systemd-coredump configurations for security.

Conclusion

These newly identified flaws underscore that core dump handlers are often overlooked in Linux security. Proactive measures like timely patching and strong access controls are vital to protect against such vulnerabilities and maintain data confidentiality.

 

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news