Multiple decade-old security vulnerabilities have been disclosed in the needrestart package installed by default in Ubuntu Server (since version 21.04) that could allow a local attacker to gain root privileges without requiring user interaction.
The Qualys Threat Research Unit (TRU), which identified and reported the flaws early last month, said they are trivial to exploit, necessitating that users move quickly to apply the fixes. The vulnerabilities are believed to have existed since the introduction of interpreter support in needrestart 0.8, which was released on April 27, 2014.
“These needrestart exploits allow Local Privilege Escalation (LPE) which means that a local attacker is able to gain root privileges,” Ubuntu said in an advisory, noting they have been addressed in version 3.8. “The vulnerabilities affect Debian, Ubuntu, and other Linux distributions.”
Needrestart is a utility that scans a system to determine the services that need to be restarted after applying shared library updates in a manner that avoids a complete system reboot.
The five flaws are listed below –
- CVE-2024-48990 (CVSS score: 7.8) – A vulnerability that allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable
- CVE-2024-48991 (CVSS score: 7.8) – A vulnerability that allows local attackers to execute arbitrary code as root by winning a race condition and tricking needrestart into running their own, fake Python interpreter
- CVE-2024-48992 (CVSS score: 7.8) – A vulnerability that allows local attackers to execute arbitrary code as root by tricking needrestart into running the Ruby interpreter with an attacker-controlled RUBYLIB environment variable
- CVE-2024-11003 (CVSS score: 7.8) and CVE-2024-10224 (CVSS score: 5.3) – Two vulnerabilities that allows a local attacker to execute arbitrary shell commands as root by taking advantage of an issue in the libmodule-scandeps-perl package (before version 1.36)
Successful exploitation of the aforementioned shortcomings could allow a local attacker to set specially crafted environment variables for PYTHONPATH or RUBYLIB that could result in the execution of arbitrary code pointing to the threat actor’s environment when needrestart is run.
“In CVE-2024-10224, […] attacker-controlled input could cause the Module::ScanDeps Perl module to run arbitrary shell commands by open()ing a ‘pesky pipe’ (such as by passing ‘commands|’ as a filename) or by passing arbitrary strings to eval(),” Ubuntu noted.
“On its own, this is not enough for local privilege escalation. However, in CVE-2024-11003 needrestart passes attacker-controlled input (filenames) to Module::ScanDeps and triggers CVE-2024-10224 with root privilege. The fix for CVE-2024-11003 removes needrestart’s dependency on Module::ScanDeps.”
While it’s highly advised to download the latest patches, Ubuntu said users can disable interpreter scanners in needrestart the configuration file as a temporary mitigation and ensure that the changes are reverted after the updates are applied.
“These vulnerabilities in the needrestart utility allow local users to escalate their privileges by executing arbitrary code during package installations or upgrades, where needrestart is often run as the root user,” Saeed Abbasi, product manager of TRU at Qualys, said.
“An attacker exploiting these vulnerabilities could gain root access, compromising system integrity and security.”
