The Qualys Threat Research Unit (TRU) has identified five Local Privilege Escalation (LPE) vulnerabilities within the needrestart component, which is installed by default on Ubuntu Server. These vulnerabilities can be exploited by any unprivileged user to gain full root access without requiring user interaction. The identified flaws have been assigned the CVE identifiers CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003, highlighting the need for immediate remediation to protect system integrity.
“Needrestart is a utility that scans the system to determine whether a restart is necessary for the system or its services. Specifically, it flags services for restart if they’re using outdated shared libraries — such as when a library is replaced during a package update. By promptly updating services with the newest libraries, needrestart is vital for maintaining the security and efficiency of Ubuntu Server,” commented Saeed Abbasi, Product Manager, Vulnerability Research at Qualys TRU.
“The vulnerabilities are present in the needrestart component, installed by default on Ubuntu Server since version 21.04, impacting a substantial number of deployments globally. In versions prior to 3.8, the component allows local attackers to execute arbitrary code as root. This exploit is achieved by manipulating an attacker-controlled environment variable that influences the Python/Ruby interpreter, passing unsanitized data to a library that expects safe input, thereby enabling the execution of arbitrary shell commands,” added Abbasi.
Potential impact
These vulnerabilities in the needrestart utility allow local users to escalate their privileges by executing arbitrary code during package installations or upgrades, where needrestart is often run as the root user.
An attacker exploiting these vulnerabilities could gain root access, compromising system integrity and security.
This poses considerable risks for enterprises, including unauthorized access to sensitive data, malware installation, and disruption of business operations. It could lead to data breaches, regulatory non-compliance, and erosion of trust among customers and stakeholders, ultimately affecting the organization’s reputation. Enterprises should swiftly mitigate this risk by updating the software or disabling the vulnerable feature.
Steps to mitigate risk
Disabling the interpreter heuristic in needrestart’s config prevents this attack. The needrestart configuration file is typically located at /etc/needrestart/needrestart.conf. This file contains various settings that control the behavior of the needrestart utility.
# Disable interpreter scanners.
$nrconf{interpscan} = 0;
This modification will disable the interpreter scanning feature.
More information is available at the Qualys TRU blog post here: https://blog.qualys.com/vulnerabilities-threat-research/2024/11/19/qualys-tru-uncovers-five-local-privilege-escalation-vulnerabilities-in-needrestart
Technical details of these vulnerabilities are available on the Qualys website at: https://www.qualys.com/2024/11/19/needrestart/needrestart.txt