New Vulnerabilities Uncovered in Linux Systems
Two significant information disclosure vulnerabilities have recently been identified in crucial systems used within popular Linux distributions, including Ubuntu, Red Hat Enterprise Linux, and Fedora. These flaws were highlighted by the Qualys Threat Research Unit (TRU) and are tracked under the identifiers CVE-2025-5054 and CVE-2025-4598.
The Nature of the Vulnerabilities
Both vulnerabilities stem from race condition bugs, which could potentially allow a local attacker to access sensitive system data. Specifically, the tools involved—Apport and systemd-coredump—are integral for handling crash reports and core dumps within Linux environments.
According to Saeed Abbasi, a product manager at Qualys TRU, “These race conditions enable a local attacker to exploit a SUID program, which can lead to unauthorized read access of the core dump files.”
Details on Each Vulnerability
- CVE-2025-5054 (CVSS score: 4.7) – This flaw exists within the Canonical apport package version 2.32.0 and earlier. It allows a local attacker to leak sensitive data by capitalizing on PID-reuse combined with namespace exploitation.
- CVE-2025-4598 (CVSS score: 4.7) – Found in systemd-coredump, this vulnerability permits an attacker to induce a SUID process to crash, enabling them to substitute it with a non-SUID binary. This switch allows access to the original process’s coredump, potentially exposing sensitive information like the contents of /etc/shadow.
Understanding SUID and Risk Factors
SUID, or Set User ID, refers to a special permission that permits users to execute a program with the privileges of the program’s owner rather than their own. This inherent risk makes SUID processes prime targets for exploitation.
Octavio Galland from Canonical explained, “When Apport analyzes application crashes, it checks if the crashing process was running within a container prior to conducting consistency checks. A local attacker might exploit this to shift a privileged process and capture its core dump containing sensitive information.”
Severity and Mitigations
Red Hat has classified CVE-2025-4598 as having moderate severity, largely due to the complexity involved in executing an exploit. The attacker would need an unprivileged local account to exploit this vulnerability effectively.
To mitigate these risks, Red Hat recommends that users execute the command echo 0 > /proc/sys/fs/suid_dumpable as a root user. This command disables the system’s ability to generate core dumps for SUID binaries.
Further, the parameter “/proc/sys/fs/suid_dumpable” determines whether SUID programs can produce core dumps upon crashing. By setting this to zero, users can ensure that core dumps are not generated for SUID programs, thus preventing sensitive data analysis during crashes.
Advisories from Other Distributions
Similar advisories have emerged from other Linux distributions such as Amazon Linux, Debian, and Gentoo. Notably, Debian systems are not inherently vulnerable to CVE-2025-4598 unless the systemd-coredump package is manually installed. Ubuntu distributions are similarly unaffected by this particular vulnerability.
Proof of Concept and Implications
Qualys has already developed proof-of-concept (PoC) code for both vulnerabilities, illustrating how a local attacker could exploit the coredump of a crashed unix_chkpwd process to extract password hashes from the /etc/shadow file.
In their alert, Canonical noted the limited real-world implications of CVE-2025-5054 while reaffirming concerns over the confidentiality risks associated with these vulnerabilities. “The exploitation of vulnerabilities in Apport and systemd-coredump poses a serious threat to data confidentiality,” Abbasi stated. “The potential fallout includes operational downtimes, reputational damage, and the risk of falling out of compliance with necessary regulations.”
Qualys emphasizes the need for enterprises to take proactive steps to address these vulnerabilities, recommending that organizations prioritize the implementation of patches, enforce stricter access controls, and continuously monitor for anomalous activities.
