{"id":22460,"date":"2025-05-31T18:36:44","date_gmt":"2025-05-31T21:36:44","guid":{"rendered":"https:\/\/www.ethicalhacker.com.br\/site\/?p=22460"},"modified":"2025-05-31T18:41:14","modified_gmt":"2025-05-31T21:41:14","slug":"novas-vulnerabilidades-no-linux","status":"publish","type":"post","link":"https:\/\/www.ethicalhacker.com.br\/site\/2025\/05\/basico\/novas-vulnerabilidades-no-linux\/","title":{"rendered":"Novas vulnerabilidades no Linux"},"content":{"rendered":"\n<p class=\"story-title\"><strong>Novas falhas no Linux permitem roubo de hash de senha por meio de dumps de n\u00facleo no Ubuntu, RHEL e Fedora<\/strong><\/p>\n<p class=\"ds-markdown-paragraph\" style=\"text-align: justify;\">A Qualys Threat Research Unit (TRU) identificou duas vulnerabilidades cr\u00edticas nos manipuladores de\u00a0core dumps\u00a0Apport\u00a0e\u00a0systemd-coredump, utilizados em distribui\u00e7\u00f5es Linux como\u00a0Ubuntu, Red Hat Enterprise Linux (RHEL) e Fedora<span class=\"ds-markdown-cite\">1<\/span><span class=\"ds-markdown-cite\">3<\/span>. Essas falhas, registradas como\u00a0CVE-2025-5054\u00a0e\u00a0CVE-2025-4598, s\u00e3o\u00a0condi\u00e7\u00f5es de corrida\u00a0(race conditions) que podem permitir que um atacante local acesse informa\u00e7\u00f5es sens\u00edveis, incluindo\u00a0hashes de senhas do arquivo \/etc\/shadow<span class=\"ds-markdown-cite\">3<\/span>.<\/p>\n<p class=\"ds-markdown-paragraph\" style=\"text-align: justify;\">Neste artigo, exploraremos os detalhes t\u00e9cnicos dessas vulnerabilidades, seu impacto potencial e as medidas de mitiga\u00e7\u00e3o recomendadas para proteger sistemas Linux.<\/p>\n<p>\u00a0<\/p>\n<p><strong>Detalhes t\u00e9cnicos das vulnerabilidades<\/strong><\/p>\n<p><strong>1. CVE-2025-5054 (Apport &#8211; CVSS 4.7)<\/strong><\/p>\n<ul>\n<li>\n<p class=\"ds-markdown-paragraph\" style=\"text-align: justify;\"><strong>O que \u00e9?<\/strong>\u00a0Uma condi\u00e7\u00e3o de corrida no pacote\u00a0<strong>Apport<\/strong>\u00a0(vers\u00f5es at\u00e9 2.32.0) que permite vazar dados sens\u00edveis via\u00a0<strong>reutiliza\u00e7\u00e3o de PID<\/strong>\u00a0(<em>PID-reuse<\/em>) em namespaces<span class=\"ds-markdown-cite\">1<\/span><span class=\"ds-markdown-cite\">3<\/span>.<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Como funciona?<\/strong><\/p>\n<ul>\n<li>\n<p class=\"ds-markdown-paragraph\">O Apport verifica se um processo em crash estava em um container antes de analis\u00e1-lo.<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\" style=\"text-align: justify;\">Um atacante pode\u00a0<strong>induzir a queda de um processo privilegiado<\/strong>\u00a0e substitu\u00ed-lo rapidamente por um processo malicioso com o mesmo PID dentro de um namespace diferente.<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\" style=\"text-align: justify;\">Isso faz com que o Apport envie o\u00a0<em>core dump<\/em>\u00a0(contendo dados sens\u00edveis do processo original) para o namespace controlado pelo invasor<span class=\"ds-markdown-cite\">3<\/span>.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p><strong>2. CVE-2025-4598 (systemd-coredump &#8211; CVSS 4.7)<\/strong><\/p>\n<ul>\n<li>\n<p class=\"ds-markdown-paragraph\" style=\"text-align: justify;\"><strong>O que \u00e9?<\/strong>\u00a0Uma condi\u00e7\u00e3o de corrida no\u00a0<strong>systemd-coredump<\/strong>\u00a0que permite a um atacante for\u00e7ar um processo\u00a0<strong>SUID<\/strong>\u00a0a travar e substitu\u00ed-lo por um bin\u00e1rio n\u00e3o-SUID para acessar seu\u00a0<em>core dump<\/em>\u00a0privilegiado<span class=\"ds-markdown-cite\">1<\/span><span class=\"ds-markdown-cite\">3<\/span>.<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Impacto:<\/strong><\/p>\n<ul>\n<li>\n<p class=\"ds-markdown-paragraph\" style=\"text-align: justify;\">Permite a leitura de dados sens\u00edveis carregados pelo processo original, como\u00a0<strong>conte\u00fado do \/etc\/shadow<\/strong>\u00a0(onde hashes de senha s\u00e3o armazenados)<span class=\"ds-markdown-cite\">3<\/span>.<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\" style=\"text-align: justify;\">Requer que o invasor\u00a0<strong>ganhe a condi\u00e7\u00e3o de corrida<\/strong>\u00a0e j\u00e1 possua uma conta local n\u00e3o privilegiada<span class=\"ds-markdown-cite\">3<\/span>.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p><strong>O que \u00e9 SUID e Por que \u00e9 um Alvo?<\/strong><\/p>\n<ul>\n<li>\n<p class=\"ds-markdown-paragraph\" style=\"text-align: justify;\"><strong>SUID<\/strong>\u00a0(<em>Set User ID<\/em>) \u00e9 uma permiss\u00e3o especial que permite que um usu\u00e1rio execute um programa com as permiss\u00f5es do propriet\u00e1rio do arquivo (geralmente\u00a0<strong>root<\/strong>)<span class=\"ds-markdown-cite\">3<\/span>.<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\" style=\"text-align: justify;\">Processos SUID s\u00e3o alvos valiosos porque podem acessar dados restritos, como credenciais de sistema.<\/p>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p><strong>Impacto no mundo real<\/strong><\/p>\n<p><strong>1. Vazamento de hashes de senha<\/strong><\/p>\n<ul>\n<li>\n<p class=\"ds-markdown-paragraph\" style=\"text-align: justify;\">A Qualys desenvolveu um\u00a0<strong>c\u00f3digo de prova de conceito (PoC)<\/strong>\u00a0mostrando como explorar o\u00a0<em>coredump<\/em>\u00a0do\u00a0<strong>unix_chkpwd<\/strong>\u00a0(usado para verificar senhas) para extrair hashes do\u00a0<strong>\/etc\/shadow<\/strong><span class=\"ds-markdown-cite\">3<\/span>.<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\" style=\"text-align: justify;\">Embora a Canonical afirme que o impacto do\u00a0<strong>CVE-2025-5054<\/strong>\u00a0seja limitado, hashes vazados podem ser quebrados offline usando t\u00e9cnicas como\u00a0<strong>for\u00e7a bruta<\/strong>\u00a0ou\u00a0<strong>rainbow tables<\/strong><span class=\"ds-markdown-cite\">1<\/span>.<\/p>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p><strong>2. Riscos adicionais<\/strong><\/p>\n<ul>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Chaves de criptografia<\/strong>\u00a0e\u00a0<strong>dados confidenciais de clientes<\/strong>\u00a0podem ser extra\u00eddos de\u00a0<em>core dumps<\/em><span class=\"ds-markdown-cite\">3<\/span>.<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Consequ\u00eancias para empresas:<\/strong><\/p>\n<ul>\n<li>\n<p class=\"ds-markdown-paragraph\">Tempo de inatividade operacional<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\">Danos \u00e0 reputa\u00e7\u00e3o<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\">Riscos de n\u00e3o conformidade\u00a0com regulamenta\u00e7\u00f5es (ex: GDPR, LGPD)<span class=\"ds-markdown-cite\">3<\/span>.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p><strong>Medidas de mitiga\u00e7\u00e3o<\/strong><\/p>\n<p><strong>1. Aplicar atualiza\u00e7\u00f5es de seguran\u00e7a<\/strong><\/p>\n<ul>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Ubuntu\/Debian:<\/strong><\/p>\n<div class=\"md-code-block md-code-block-light\">\n<pre><span class=\"token function\">sudo<\/span> <span class=\"token function\">apt<\/span> update <span class=\"token operator\">&amp;&amp;<\/span> <span class=\"token function\">sudo<\/span> <span class=\"token function\">apt<\/span> upgrade<\/pre>\n<\/div>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>RHEL\/CentOS:<\/strong><\/p>\n<div class=\"md-code-block md-code-block-light\">\n<pre><span class=\"token function\">sudo<\/span> yum update<\/pre>\n<\/div>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Fedora:<\/strong><\/p>\n<div class=\"md-code-block md-code-block-light\">\n<pre><span class=\"token function\">sudo<\/span> dnf upgrade<br \/><br \/><\/pre>\n<\/div>\n<\/li>\n<\/ul>\n<p><strong>2. Desativar core dumps para bin\u00e1rios SUID<\/strong><\/p>\n<p class=\"ds-markdown-paragraph\">Execute como\u00a0<strong>root<\/strong>:<\/p>\n<div class=\"md-code-block md-code-block-light\">\n<pre><span class=\"token builtin class-name\">echo<\/span> <span class=\"token number\">0<\/span> <span class=\"token operator\">&gt;<\/span> \/proc\/sys\/fs\/suid_dumpable<\/pre>\n<\/div>\n<p class=\"ds-markdown-paragraph\">Isso impede que processos SUID gerem\u00a0<em>core dumps<\/em>\u00a0em caso de crash<span class=\"ds-markdown-cite\">3<\/span>.<\/p>\n<p>\u00a0<\/p>\n<p><strong>3. Restringir o uso de SUID\/SGID<\/strong><\/p>\n<ul>\n<li>\n<p class=\"ds-markdown-paragraph\">Revise bin\u00e1rios com permiss\u00f5es SUID:<\/p>\n<div class=\"md-code-block md-code-block-light\">\n<pre><span class=\"token function\">find<\/span> \/ <span class=\"token parameter variable\">-perm<\/span> <span class=\"token parameter variable\">-4000<\/span> <span class=\"token parameter variable\">-type<\/span> f <span class=\"token parameter variable\">-exec<\/span> <span class=\"token function\">ls<\/span> <span class=\"token parameter variable\">-la<\/span> <span class=\"token punctuation\">{<\/span><span class=\"token punctuation\">}<\/span> <span class=\"token punctuation\">\\<\/span><span class=\"token punctuation\">;<\/span><\/pre>\n<\/div>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\">Remova permiss\u00f5es desnecess\u00e1rias:<\/p>\n<div class=\"md-code-block md-code-block-light\">\n<p><span class=\"token function\">chmod<\/span> u-s \/caminho\/do\/binario<br \/><br \/><\/p>\n<\/div>\n<\/li>\n<\/ul>\n<p><strong>4. Monitorar acessos ao \/etc\/shadow<\/strong><\/p>\n<ul>\n<li>\n<p class=\"ds-markdown-paragraph\">Use ferramentas como\u00a0<strong>auditd<\/strong>\u00a0para registrar acessos n\u00e3o autorizados:<\/p>\n<div class=\"md-code-block md-code-block-light\">\n<pre><span class=\"token function\">sudo<\/span> auditctl <span class=\"token parameter variable\">-w<\/span> \/etc\/shadow <span class=\"token parameter variable\">-p<\/span> rwa <span class=\"token parameter variable\">-k<\/span> shadow_access<br \/><br \/><\/pre>\n<\/div>\n<\/li>\n<\/ul>\n<p><strong>5. Implementar autentica\u00e7\u00e3o multifator (MFA)<\/strong><\/p>\n<ul>\n<li>\n<p class=\"ds-markdown-paragraph\">Reduza o risco de credenciais comprometidas exigindo\u00a0<strong>MFA<\/strong>\u00a0para acesso cr\u00edtico.<\/p>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p><strong>Conclus\u00e3o<\/strong><\/p>\n<p class=\"ds-markdown-paragraph\" style=\"text-align: justify;\">As vulnerabilidades no\u00a0Apport\u00a0e\u00a0systemd-coredump\u00a0representam um risco significativo para sistemas Linux, especialmente em ambientes multiusu\u00e1rio. Embora a explora\u00e7\u00e3o exija acesso local, organiza\u00e7\u00f5es devem\u00a0aplicar patches imediatamente,\u00a0restringir permiss\u00f5es SUID\u00a0e\u00a0monitorar atividades suspeitas\u00a0para mitigar riscos.<\/p>\n<p class=\"ds-markdown-paragraph\" style=\"text-align: justify;\">A seguran\u00e7a proativa \u00e9 essencial para evitar vazamentos de dados, danos \u00e0 reputa\u00e7\u00e3o e penalidades regulat\u00f3rias. Mantenha-se atualizado e proteja sua infraestrutura antes que cibercriminosos explorem essas brechas.<\/p>\n<p>\u00a0<\/p>\n<p>Fonte e imagens: <a href=\"https:\/\/thehackernews.com\/2025\/05\/new-linux-flaws-allow-password-hash.html\" target=\"_blank\" rel=\"noopener\">https:\/\/thehackernews.com\/2025\/05\/new-linux-flaws-allow-password-hash.html<\/a><\/p>\n\n\n","protected":false},"excerpt":{"rendered":"<p>Novas falhas no Linux permitem roubo de hash de senha por meio de dumps de n\u00facleo no Ubuntu, RHEL e Fedora A Qualys Threat Research Unit (TRU) identificou duas vulnerabilidades cr\u00edticas nos manipuladores de\u00a0core dumps\u00a0Apport\u00a0e\u00a0systemd-coredump, utilizados em distribui\u00e7\u00f5es Linux como\u00a0Ubuntu, Red Hat Enterprise Linux (RHEL) e Fedora13. Essas falhas, registradas como\u00a0CVE-2025-5054\u00a0e\u00a0CVE-2025-4598, s\u00e3o\u00a0condi\u00e7\u00f5es de corrida\u00a0(race conditions) [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":22463,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[89,100,105],"tags":[],"class_list":["post-22460","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-basico","category-diversos","category-noticias"],"_links":{"self":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts\/22460","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/comments?post=22460"}],"version-history":[{"count":4,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts\/22460\/revisions"}],"predecessor-version":[{"id":22466,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts\/22460\/revisions\/22466"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/media\/22463"}],"wp:attachment":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/media?parent=22460"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/categories?post=22460"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/tags?post=22460"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}