Summary of Qualys Security Advisory on Local Information Disclosure Vulnerabilities
Overview
Qualys has identified two vulnerabilities in core-dump handlers used in Linux distributions, specifically apport in Ubuntu and systemd-coredump in Red Hat Enterprise Linux and Fedora. These vulnerabilities (CVE-2025-5054 and CVE-2025-4598) enable local attackers to exploit race conditions to gain unauthorized access to sensitive information from core dumps created when setuid programs crash.
Context and Significance
Both vulnerabilities stem from race conditions where an attacker can quickly replace a crashed SUID program with a non-SUID program before the core dump handler processes the crashed program’s files. Successful exploitation can lead to unauthorized access to the /etc/shadow file, which contains hashed passwords, or sensitive data from root daemons.
Vulnerabilities in Detail
-
Apport (CVE-2025-5054):
- Mechanism: An attacker could forcibly crash a SUID program (e.g.,
unix_chkpwd) while simultaneously replacing it with a different process beforeapportanalyzes its state. - Security Analysis: While
apporthas implemented several safeguards over the years, it still has weaknesses. The checks that ensure the integrity of the crashed process are executed after the core dump has started, allowing for exploitation. - Proof of Concept: A crafted attack can successfully retrieve password hashes from the
unix_chkpwdprogram’s memory by timing the process replacements correctly.
- Mechanism: An attacker could forcibly crash a SUID program (e.g.,
- Systemd-coredump (CVE-2025-4598):
- Mechanism: Similar to the first vulnerability, but more straightforward as it does not require the replaced process to be namespaced. A non-SUID process can replace the crashed one, allowing the attacker to read the core dump.
- Security Analysis: Systemd’s protections against these races are inadequate, presenting an easier attack surface compared to
apport. The vulnerability’s exploitation is complicated bysystemd-coredump’s C implementation, which reduces available time for the attack. - Proof of Concept: Through a crafted input, it can reveal sensitive information from
unix_chkpwdusing the systemd core dump process.
Mitigation Strategies
To mitigate these vulnerabilities, the advisory suggests setting /proc/sys/fs/suid_dumpable to 0 to entirely prevent core dumps from being created for SUID and SGID programs, effectively serving as a temporary solution until proper patches are applied. Further technical fixes include making sure that core dump handlers respect the kernel’s per-process "dumpable" flag to ensure that unprivileged users cannot access core dumps from privileged processes.
Acknowledgments and Collaboration
The advisory credits the hard work of the Ubuntu security team, developers of apport, developers of systemd, and Red Hat Product Security for their cooperation in addressing these vulnerabilities. Additionally, kernel feature %F is highlighted as an enhancement that could bolster protections against such attacks in the future.
Timeline of Events
- Initial advisories and proofs of concept were communicated to affected developers from March to early May 2025, culminating in a public advisory release on May 29, 2025. This collaborative approach underscores the importance of open source community communication in enhancing software security.
Overall, these vulnerabilities pose significant risks for Linux distributions, particularly concerning the handling of sensitive data in crash situations, underlining the need for ongoing vigilance and robust security practices among developers.