systemd-coredump Race Condition Vulnerability Allowing Local Information Disclosure

A race condition vulnerability has been identified in systemd-coredump, the default core-dump handler on Red Hat Enterprise Linux 9 and Fedora 40 and 41. This vulnerability allows a local attacker to crash a SUID process and replace it with a non-SUID process, before the core-dump handler can analyze the original process's auxiliary vector. Exploiting this flaw gives access to sensitive information, such as password hashes from /etc/shadow, loaded into memory by the original process.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive data from the memory of a crashed SUID process, including password hashes from /etc/shadow.

Reproduction

The vulnerability can be reproduced by first executing a SUID program, such as 'unix_chkpwd', which loads sensitive information into memory. After the program has started, it is crashed using a signal that generates a core dump. Before the core dump handler processes the crash, the SUID process is replaced with a non-SUID process that matches certain user and group ID requirements. This timing manipulation takes advantage of the race condition, allowing the core dump of the original process to be accessed through the core dump handler.

Remediation

To address this vulnerability, systemd-coredump should be updated to properly account for the kernel's per-process 'dumpable' flag, ensuring that non-root users do not have read access to the core dumps of SUID or SGID processes. Additionally, the core pattern configuration should be modified to detect and prevent the replacement of crashed processes before they are analyzed.