A decade-old vulnerability in the ‘needrestart’ utility used by default in Ubuntu Linux has been discovered, allowing local privilege escalation. Qualys researchers found five local privilege escalation (LPE) vulnerabilities in needrestart, which can be exploited by attackers with local access to a vulnerable system.
The flaws, tracked as CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003, were introduced in needrestart version 0.8 in April 2014. The latest patch, version 3.8, fixes all the identified vulnerabilities.
Needrestart is used to identify services that require a restart after package updates, ensuring that those services run the most up-to-date versions of shared libraries. However, the flaws allow attackers with local access to escalate their privilege to root without user interaction.
The vulnerabilities can be summarized as follows:
– CVE-2024-48990: Executing the Python interpreter with an attacker-controlled PYTHONPATH environment variable allows arbitrary code execution as root.
– CVE-2024-48992: Injecting malicious Ruby libraries into the process using an attacker-controlled RUBYLIB environment variable allows arbitrary Ruby code execution as root.
– CVE-2024-48991: Replacing the Python interpreter binary with a malicious executable during validation allows tricking needrestart into running code as root.
– CVE-2024-10224: Improperly handling filenames by Perl’s ScanDeps module allows executing arbitrary commands as root when the file is opened.
– CVE-2024-11003: Reliance on Perl’s ScanDeps module exposes needrestart to vulnerabilities in ScanDeps itself, leading to arbitrary code execution.
To mitigate the risk, users are advised to upgrade to version 3.8 or later and modify the needrestart.conf file to disable interpreter scanning, which prevents the vulnerabilities from being exploited.
Source: https://www.bleepingcomputer.com/news/security/ubuntu-linux-impacted-by-decade-old-needrestart-flaw-that-gives-root