apport created lock file in wrong directory

The primary impact of CVE-2019-11485 is the ability for a malicious or even an unaware user to suppress crash reports. This can lead to a lack of visibility into system instability and prevent developers from identifying and fixing underlying issues. While not directly exploitable for remote code execution, the ability to hide crashes can significantly complicate troubleshooting and potentially mask more serious problems. Attackers could leverage this to obscure their activities or prevent system administrators from detecting anomalies. The blast radius is limited to the affected system, but the consequences of undetected crashes can be far-reaching.

Systems administrators and developers using Ubuntu distributions with vulnerable Apport versions are at risk. Shared hosting environments where multiple users have access to the system are particularly vulnerable, as a malicious user could potentially prevent crash reporting for other users or the entire system. Legacy systems running older Ubuntu releases are also at increased risk.

• linux / server:

find /var/crash -type f -perm -002 -print

• linux / server:

journalctl -u apport | grep "lock file"

• linux / server:

ls -l /var/crash/apport/apport.lock

1. 2020-02-08Disclosure

   disclosure

1. Gereserveerd2019-04-23
2. Gepubliceerd2020-02-08
3. Gewijzigd2024-09-16
4. EPSS bijgewerkt2026-04-02

The recommended mitigation for CVE-2019-11485 is to upgrade Apport to version 2.20.11-0ubuntu8.1 or later. If an immediate upgrade is not possible due to compatibility concerns or system downtime constraints, consider restricting write access to the Apport lock file. This can be achieved by modifying file permissions using chmod to ensure only the Apport process has write access. While not a complete fix, this can prevent unauthorized modification of the lock file. After upgrading, verify the fix by attempting to trigger a crash and confirming that the crash report is generated and handled correctly.