Race-condition Vulnerabilities

 

Linux Flaws Expose Password Hashes On Millions of Systems

This document outlines two recently discovered critical vulnerabilities in Linux systems that could lead to the exposure of sensitive data, including password hashes. It also provides potential exploitation scenarios and recommended remedies to mitigate these risks.

Details of the Vulnerabilities

The vulnerabilities discussed are both race-condition vulnerabilities affecting core dump handlers across major Linux distributions:

• CVE-2025-5054: This vulnerability targets Apport, which is Ubuntu’s default crash reporting tool.

• CVE-2025-4598: This impacts systemd-coredump, a component used by default in Red Hat Enterprise Linux (RHEL) 9 and 10, as well as Fedora 40/41.

These flaws allow attackers to exploit Set User ID (SUID) programs. SUID programs execute with the privileges of their owner (often root), rather than the user running them. When such a program crashes, a "core dump" (a memory snapshot of the program at the time of the crash) is generated. The race-condition vulnerabilities enable an attacker to gain unauthorized access to these core dumps.

Why is this critical? Core dumps can contain highly sensitive data, including:

• Password hashes: These are cryptographic representations of user passwords. Even if not the plain-text password, hashing algorithms can be vulnerable to brute-force attacks, especially for weak passwords.

• Encryption keys: Keys used to encrypt data, communications, or even disk volumes.

• Other credentials: API keys, session tokens, or other sensitive information residing in memory during the crash.

Unauthorized access to such data can lead to privilege escalation, lateral movement within a network, data breaches, and complete system compromise.

Exploitation Scenarios

Here are a few scenarios illustrating how these vulnerabilities could be exploited:

Scenario 1: Local Privilege Escalation

• Attacker Profile: A malicious user who has gained low-level access to a vulnerable Linux system (e.g., via a compromised SSH account, a web application vulnerability, or physical access).

• Attack Flow:

  1. The attacker identifies a vulnerable SUID program on the system.

  2. They craft a specific input or sequence of actions designed to make the SUID program crash intentionally.

  3. During the crash, the vulnerable core dump handler (Apport or systemd-coredump) creates a core dump file.

  4. Due to the race-condition vulnerability, the attacker manipulates the timing or file paths to gain read access to this core dump before system safeguards can properly secure or delete it.

  5. The attacker extracts password hashes (e.g., of root or other privileged users) or encryption keys from the core dump.

  6. Using these hashes, the attacker can attempt to crack the passwords offline or use "pass-the-hash" techniques to authenticate as a privileged user, thereby achieving local privilege escalation to root.

Scenario 2: Persistent Malicious Software

• Attacker Profile: A persistent threat that has already established a foothold on a system (e.g., a trojan, a backdoor).

• Attack Flow:

  1. The malicious software runs in the background on a vulnerable system.

  2. It continuously monitors for opportunities, such as when specific SUID programs are run or when a system process crashes.

  3. Upon detecting a suitable event, the malware triggers a crash in a targeted SUID program or intercepts a legitimate crash.

  4. It exploits the race-condition to quickly gain access to the resulting core dump.

  5. The malware then exfiltrates sensitive information (password hashes, keys) to a remote command-and-control server.

  6. This allows the attacker to gain credentials for other systems or services, maintaining long-term access and expanding their reach within the network.

Remedies and Safeguards

To protect systems from these critical vulnerabilities, implement the following remedies and best practices:

1. Immediate Patching and Updates:

   • Action: Apply security patches released by your Linux distribution vendors immediately. For Ubuntu, ensure Apport is updated. For RHEL, Fedora, and other distributions using systemd-coredump, update systemd packages.

   • Why: Patches are specifically designed to fix the race conditions, preventing unauthorized access to core dumps.

   • Verification: After patching, verify that the updated package versions are installed and the system has been rebooted if necessary.

2. Disabling Core Dumps (with Caution):

   • Action: If core dumps are not strictly required for debugging purposes, consider disabling them system-wide or for specific users/groups.

     • For systemd-coredump: Modify /etc/systemd/coredump.conf to set Storage=none or ProcessSizeMax=0.

     • For Apport: Disable Apport by editing /etc/default/apport and setting enabled=0.

     • Globally via ulimit: Set ulimit -c 0 in shell profiles or system-wide configuration files to prevent core file generation.

   • Why: No core dump means no sensitive data to exploit.

   • Caveat: Disabling core dumps can hinder post-crash debugging and analysis, which might be crucial for identifying and fixing software bugs. Weigh the security benefit against debugging needs.

3. Principle of Least Privilege:

   • Action: Ensure that users and applications operate with the minimum necessary privileges. Minimize the number of SUID programs on your system.

   • Why: Reducing the attack surface by limiting what programs run with elevated privileges reduces the potential impact of an exploited SUID program.

4. Regular Security Audits and Monitoring:

   • Action: Implement robust logging and monitoring solutions (e.g., using auditd, SIEM systems). Regularly audit SUID files and permissions (find / -perm /4000). Monitor for unusual process crashes, attempts to access core dump directories, or unexpected file creations in /var/lib/apport/ or similar locations.

   • Why: Early detection of suspicious activity can help identify and respond to attempted or successful exploitations.

5. Endpoint Detection and Response (EDR) Solutions:

   • Action: Deploy EDR tools that can detect anomalous behavior, identify exploitation attempts, and provide automated responses.

   • Why: EDR solutions offer advanced threat detection capabilities beyond traditional antivirus, helping to spot sophisticated attacks that might leverage these types of vulnerabilities.

6. Strong Password Policies and MFA:

   • Action: Enforce strong password policies (complexity, length) and multi-factor authentication (MFA) wherever possible.

   • Why: Even if password hashes are exposed, strong passwords are harder to crack, and MFA provides an additional layer of security, making it more difficult for attackers to use stolen credentials.

Conclusion

The discovery of CVE-2025-5054 and CVE-2025-4598 highlights the ongoing importance of diligent system administration and proactive security measures. Race-condition vulnerabilities, while often complex to exploit, can have severe consequences, leading to the exposure of highly sensitive data. By staying informed, applying patches promptly, and implementing defense-in-depth strategies, organizations can significantly reduce their attack surface and protect their critical systems and data.