Linux Crash Dump Vulnerabilities Expose Passwords and Encryption Keys

Recent research indicates that vulnerabilities within core-dump tools of older Linux distributions, specifically Ubuntu and Red Hat, could allow malicious actors to extract sensitive data such as passwords and encryption keys. The implications of these security gaps could be significant for businesses relying on these systems.

The vulnerabilities center on how specific Linux distributions manage application crashes. Tools like Apport for Ubuntu and systemd-coredump for Red Hat and Fedora are designed to collect information when applications crash. However, flaws in their architecture can enable local attackers to access core-dump logs that might contain critical data, such as password hashes, facilitating unauthorized access to systems.

Qualys Threat Research Unit has identified two race-condition vulnerabilities labeled as CVE-2025-5054 and CVE-2025-4598, which highlight local information disclosure risks in these core-dump frameworks. Attackers with minimal privileges could access sensitive information stored in system files, including /etc/shadow, which may lead to further exploitation.

These vulnerabilities underscore a crucial yet overlooked attack surface within Linux environments, as articulated by Jason Soroko, a senior fellow at Sectigo, a certificate lifecycle management provider. He stated that crash handlers often represent a significant, hidden weakness in Linux security measures.

The nature of the identified race conditions allows an attacker to target processes with root permissions to exploit the memory logs generated by these core-dump handlers. This method effectively circumvents conventional memory protection protocols, as attackers can access the memory snapshots without triggering common security alerts.

Although Linux developers have implemented certain safeguards against the exploitation of core dumps, such as process ID validation and restricted access to sensitive core files, systems that are outdated or unpatched remain particularly vulnerable, as emphasized by Qualys in its findings.

As a measure against potential exploitation, Qualys has recommended altering the setting for /proc/sys/fs/suid_dumpable to 0, a step that disables core dumps for SUID binaries. Furthermore, sysadmins should monitor access to directories housing core dumps and audit local user activities on vulnerable systems to mitigate risks.

Soroko advised that developers should reevaluate how crash dump management is categorized and handled, urging that these processes be treated as critical components of data security rather than mere conveniences for developers. He emphasized the necessity of encrypting dump files and establishing robust deletion standards to safeguard sensitive information.

Utilizing the MITRE ATT&CK framework, potential tactics employed in these attacks include privilege escalation and initial access, as attackers leverage weaknesses in critical system processes to gain higher levels of control. As organizations grapple with these newly revealed vulnerabilities, proactive measures and comprehensive awareness of their attack surfaces remain essential.