Multiple decade-old Local Privilege Escalation (LPE) vulnerabilities discovered within the needrestart component installed by default in Ubuntu Server might allow a local attacker to achieve root access.
needrestart is a utility that checks your system to see whether it needs to be restarted or if any of its services need to be restarted.
needrestart is configured to execute automatically following APT activities such as installation, upgrade, or removal, including unattended upgrades, due to its integration with server images.
The needrestart component, which has been installed by default on Ubuntu Server since version 21.04, contains vulnerabilities that affect a significant number of deployments worldwide.
Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders – Attend Free Webinar
The issues were most likely introduced with the interpreter support in Needrestart version 0.8, which was released in April 2014.
Details Of The Vulnerabilities
The Qualys Threat Research Unit (TRU) discovered flaws tracked as CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003, emphasizing the importance of prompt remediation to ensure system integrity.
Using an attacker-controlled PYTHONPATH environment variable, a vulnerability known as CVE-2024-48990 with a CVSS score of 7.8 enables local attackers to run arbitrary code as root by tricking needrestart into launching the Python interpreter.
With a CVSS score of 7.8, the vulnerability identified as CVE-2024-48991 enables local attackers to run arbitrary code as root by deceiving needrestart into using their own fake Python interpreter rather than the system’s actual Python interpreter and achieving a race condition.
A vulnerability identified as CVE-2024-48992, with a CVSS score of 7.8, allows local attackers to execute arbitrary code as root by enticing needrestart into starting the Ruby interpreter with an attacker-controlled RUBYLIB environment variable.
The vulnerabilities identified as CVE-2024-11003 (CVSS score: 7.8) and CVE-2024-10224 (CVSS score: 5.3) enable arbitrary shell commands to be executed by a local attacker.
These flaws in the needrestart utility, which is frequently used as the root user during package installations or upgrades, let local users increase their privileges by running arbitrary code.“
An attacker exploiting these vulnerabilities could gain root access, compromising system integrity and security”, reads the advisory.“
This poses considerable risks for enterprises, including unauthorized access to sensitive data, malware installation, and disruption of business operations”.
Affected needrestart Versions And Fix Available
The vulnerabilities are found in the needrestart component, which is installed by default on Ubuntu Server since version 21.04.
The component allows local attackers to run arbitrary code as root in versions earlier than 3.8. The issue affects needrestart versions before 3.8, and version 3.8 offers a fix.
Disabling the interpreter heuristic in needrestart’s configuration prevents this flaw.
The needrestart configuration file is usually found in /etc/needrestart/needrestart.conf. This file contains a variety of options that control the behavior of the needrestart utility.
This update will disable the interpreter scanning feature. Hence, businesses should quickly reduce this risk by removing the susceptible feature or updating the software.
Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN -> Try for Free