Qualys has uncovered two vulnerabilities in Apport tools (CVE-2025-5054) and Systemd-coreDump (CVE-2025-4598) used for processing Core files generated after emergency completion of processes. These vulnerabilities provide access to Core files that contain sensitive information like privileged data or encryption keys. The apport utility is responsible for saving Core Dumps in Ubuntu, while systemd-coredump is used in Red Hat Enterprise Linux 9+ and several other Linux distributions.
A demonstration of an attack technique revealed the ability to access Core files from emergency-completed processes such as SUID applications. In one scenario, the Unix_chkpwd SUID application allowed access to system user passwords stored in memory after processing. This vulnerability was observed in Ubuntu 24.04 and Fedora 40/41, with potential risks for other Linux distributions.
Both vulnerabilities stem from a race condition that enables the replacement of the SUID process with another process after the Core dump initiation but prior to user space processing. When the emergency completion of a process triggers the creation of a Core file, malicious actors can exploit the delay in Core-Dump generation to change the SUID process to a user’s standard process, leading to unauthorized access.
The Apport attack method involves several steps:
- A new process branches out and executes the SUID program, like unix_chkpwd.
- The SUID program loads confidential data into memory, such as user passwords.
- The process is abruptly terminated with a Sigsegv or Sigsys signal.
- The Core dump is generated and Apport processes it, allowing access to the Core file.