New Linux Vulnerabilities Put Millions of Password Hashes at Risk

-

Two critical local information-disclosure vulnerabilities have been uncovered, affecting millions of Linux systems worldwide. These flaws could allow attackers to extract sensitive password data through manipulated core dumps—posing a serious security risk to enterprises and individuals alike.

The Discovery

The vulnerabilities, disclosed by the Qualys Threat Research Unit (TRU), target core dump handlers used in major Linux distributions. They involve race conditions that can be exploited to access core dumps generated by SUID (Set User ID) programs—a class of privileged executables.

  • CVE-2025-5054 targets Apport, Ubuntu’s crash reporting system.

  • CVE-2025-4598 affects systemd-coredump, the default handler in Red Hat Enterprise Linux (RHEL) 9 & 10 and Fedora 40/41.

Qualys researchers demonstrated successful proof-of-concept (PoC) exploits that allow attackers to manipulate processes like unix_chkpwd—a standard Linux utility for password verification—and extract password hashes directly from the core dumps.



Why Core Dumps Are a Target

Core dumps are memory snapshots generated when a program crashes, often containing valuable debugging information. Unfortunately, that can also include sensitive data like:

  • Password hashes

  • Encryption keys

  • Internal service tokens

  • Customer or user data

While Linux systems typically restrict access to these dumps—storing them in protected directories or limiting access to root users—these vulnerabilities bypass those protections by exploiting timing-based flaws in how core dumps are generated and handled.

Who Is Affected?

The vulnerabilities impact:

  • All Ubuntu versions from 16.04 through 24.04 via Apport (up to version 2.33.0)

  • Red Hat Enterprise Linux 9 & 10 and Fedora 40/41 via systemd-coredump

Notably, Debian systems are not affected by default, as they do not include a core dump handler unless one is explicitly installed.

Potential Impact

The risks posed by these vulnerabilities are severe:

  • Password hash exposure can lead to offline cracking and credential theft.

  • Privilege escalation and lateral movement become feasible for attackers within a network.

  • Compliance violations, reputational damage, and downtime are likely for affected organizations.

Mitigation and Recommendations

Security experts strongly recommend implementing an immediate workaround:

Set the /proc/sys/fs/suid_dumpable parameter to 0

This disables core dumps for all SUID programs, effectively blocking the attack vector.

While this step will disable some debugging capabilities, it serves as a crucial stopgap until official patches are released. Additionally, Qualys has released tested mitigation scripts to help organizations implement this change safely. However, administrators should test these scripts in staging environments to prevent unintended disruptions.

Key Takeaways

  • Two high-risk Linux vulnerabilities (CVE-2025-5054 and CVE-2025-4598) expose core dump data.

  • Millions of systems using Ubuntu, Fedora, and RHEL are at risk.

  • Exploitation allows attackers to extract password hashes and other sensitive memory content.

  • Immediate mitigations are available—but patches should be applied as soon as vendors release them.

This incident highlights the ongoing need for proactive vulnerability management, especially for foundational system components like crash handlers. Organizations should closely monitor their distributions for patch releases and prioritize mitigations to reduce exposure.

Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware

-
Image
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. ...
Read more