New Linux Vulnerabilities Expose Password Hashes via Core Dumps

Posted on by Admin
New Linux Vulnerabilities Expose Password Hashes via Core Dumps

Related Post


Two local information-disclosure vulnerabilities have been identified in popular Linux crash-reporting tools, allowing attackers to access sensitive system data.

The vulnerabilities, uncovered by the Qualys Threat Research Unit (TRU), impact Apport on Ubuntu and systemd-coredump on Red Hat Enterprise Linux (RHEL) and Fedora.

CVE-2025-5054 targets Apport, Ubuntu’s crash-reporting framework, while CVE-2025-4598 affects systemd-coredump, used on RHEL 9, RHEL 10 and Fedora 40/41. 

Both are race-condition flaws that let local users exploit SUID programs to read core dumps from crashed processes.

In proof-of-concept demonstrations, TRU successfully extracted password hashes from /etc/shadow by targeting the unix_chkpwd utility, which is present by default on most Linux distributions.

“Crash handlers remain a hidden weak point in Linux hygiene,” said Jason Soroko, senior fellow at Sectigo.

“The discoveries tracked as CVE-2025-5054 and CVE-2025-4598 expose how engineers have placed legacy debug tools inside modern production images without redesign.”

He added that, “Core dump helpers still inherit enough privilege to reveal the entire shadow store. A local low-privilege user can wait for any SUID process to crash, then race the handler and loot hashes without tripping network detection.”

Read more on Linux security: New Linux Vulnerabilities Surge 967% in a Year

Core dumps store memory snapshots of crashing applications, often including credentials or cryptographic keys.

Tools like Apport and systemd-coredump were designed for debugging but can inadvertently expose critical data if misconfigured or left unpatched.

Affected software includes:

  • Apport up to version 2.33.0 on all Ubuntu releases since 16.04, including 24.04

  • systemd-coredump on Fedora 40/41, RHEL 9 and RHEL 10

Debian systems are not affected by default, as they do not pre-install systemd-coredump.

To reduce exposure, administrators are advised to:

  • Set /proc/sys/fs/suid_dumpable to 0 to disable core dumps for all SUID programs

  • Apply available patches as soon as possible

  • Tighten access controls around core-dump handling utilities

“Defenders should begin to treat crash management as a regulated data pipeline instead of a developer convenience,” Soroko said.

“Encrypt memory dumps in flight and at rest and enforce rapid shredding once triage ends. Strip SUID binaries of the ability to write dumps and verify handler identity with strict PID checks. These changes will end up costing little compared with a breach triggered by password hash theft.”



Source link

Leave a Comment