Canonical Apport Race Condition Vulnerability Allowing Information Leakage

A race condition vulnerability has been identified in Canonical Apport, the core-dump handler for Ubuntu, in versions through 2.32.0. This vulnerability allows local attackers to leak sensitive information by exploiting PID-reuse within namespaces. The issue arises when Apport handles a crash: the function '_check_global_pid_and_forward', which determines if the crashing process is in a container, is called before 'consistency_checks', which verifies if the process has been replaced. This timing flaw enables an attacker to crash a process, quickly replace it with a containerized one, and have Apport forward the core dump to the container, potentially disclosing sensitive data. The vulnerability has been addressed by reordering the function calls and modifying the conditions under which crashes are forwarded to containers.

Impact

Exploitation of this vulnerability allows local attackers to access sensitive information, such as password hashes, from the core dumps of crashed processes.

Reproduction

The vulnerability can be reproduced by first executing a SUID program, such as 'unix_chkpwd', which loads sensitive information into memory. After the program has crashed, it is quickly replaced with a non-SUID process running inside a user, mount, and PID namespace. This timing manipulation causes Apport to analyze the wrong process, while the core dump of the original SUID process is forwarded, leaking the sensitive data.

Remediation

Users can update to Apport versions 2.32.0-0ubuntu5.1 (Ubuntu 25.04), 2.30.0-0ubuntu4.3 (Ubuntu 24.10), 2.28.1-0ubuntu3.6 (Ubuntu 24.04 LTS), 2.20.11-0ubuntu82.7 (Ubuntu 22.04 LTS), 2.20.11-0ubuntu27.28 (Ubuntu 20.04 LTS), 2.20.9-0ubuntu7.29+esm1 (Ubuntu 18.04 LTS), or 2.20.1-0ubuntu2.30+esm5 (Ubuntu 16.04 LTS) to address this vulnerability.