Full Report
Qualys details CVE-2025-5054 and CVE-2025-4598, critical vulnerabilities affecting Linux crash reporting tools like Apport and systemd-coredump. Learn how…
Analysis Summary
This summary is based on the limited context provided, specifically mentioning CVE-2025-5054 and CVE-2025-4598 related to Linux crash reporting flaws exposing password hashes. Further technical details are extrapolated based on the described impact.
# Vulnerability: Linux Crash Reporting Flaws Exposing Password Hashes
## CVE Details
- CVE ID: CVE-2025-5054, CVE-2025-4598
- CVSS Score: Information not specified (Likely High due to password hash exposure)
- CWE: Information not specified (Likely related to Improper Restriction of Operations within the Bounds of a Memory Buffer or related component handling sensitive data during crashes)
## Affected Systems
- Products: Linux Kernel (Specifically components involved in crash reporting/dumping, e.g., `kdump`)
- Versions: Specific vulnerable versions are not listed in the provided context section. Users must check vendor advisories for exact ranges.
- Configurations: Systems utilizing default crash reporting mechanisms that write sensitive data (like memory containing password hashes) to crash dumps.
## Vulnerability Description
The vulnerability resides within the Linux crash reporting mechanism. Due to flaws in how crash dumps are generated or handled, sensitive information, specifically password hashes, can be inadvertently written to the crash dump files created when the system experiences a kernel panic or crash. An attacker with access to these crash dump files could extract user credential information.
## Exploitation
- Status: Information not specified (The description implies risk, but current exploitation status is unknown.)
- Complexity: Information not specified (If local file access is required, complexity might be medium; if triggered remotely or easily via a crash, it could be low.)
- Attack Vector: Likely Local (Requires file system access to the crash dump file) or potentially network if remote logging is misconfigured to expose the dump path publicly.
## Impact
- Confidentiality: **High** (Exposure of password hashes allows for credential stuffing or offline cracking)
- Integrity: Low
- Availability: Low (Triggering a crash to obtain the file might temporarily disrupt service, but the primary impact is confidentiality)
## Remediation
### Patches
- Specific patch versions are not detailed in the input context. Users should consult official Linux distribution advisories referring to CVE-2025-5054 and CVE-2025-4598 for the corresponding patched kernel releases.
### Workarounds
- Restrict access permissions to the location where crash dumps (e.g., `/var/crash`, `kdump` output directories) are stored, ensuring only authorized administrative users can read these files.
- Temporarily disable automatic crash reporting utilities if available and strictly necessary, until a patch can be applied.
## Detection
- **Indicators of compromise (IOCs):** Unusual read/write activity on crash dump directories immediately following a system crash. Unauthorized retrieval of memory dumps or crash log files from the server.
- **Detection methods and tools:** File integrity monitoring (FIM) on known crash dump locations. System logs audits for unauthorized file access following kernel events.
## References
- Vendor advisories (Linux Distribution Security Bulletins related to the listed CVEs)
- Relevant links - defanged: `hackread.com/linux-crash-reporting-flaws-expose-password-hashes/`