Five Critical Privilege Escalation Vulnerabilities Found in Ubuntu’s Default Utility, needrestart

CVE-2024-48990 and CVE-2024-48922

Qualys Threat Research Unit uncovers five local privilege escalation flaws, enabling unprivileged users to gain root access.

The Qualys Threat Research Unit (TRU) has disclosed five critical vulnerabilities in the needrestart utility, a core component of Ubuntu Server installations. These vulnerabilities, present since 2014, could allow any unprivileged user to gain complete control of the system.

These vulnerabilities can be exploited by any unprivileged user to gain full root access without requiring user interaction,warns the Qualys TRU report. The identified vulnerabilities—assigned the CVEs CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003—score high on the CVSS scale, with four rated at 7.8 (High).

What is needrestart?

needrestart is a utility that determines if a system or its services require a restart after software updates, particularly when shared libraries are involved. It’s a crucial component for maintaining system stability and security by ensuring services use the latest libraries. However, the integration of interpreters like Python and Ruby in version 0.8 (released April 2014) introduced exploitable vulnerabilities.

How the Vulnerabilities Work

The vulnerabilities stem from how needrestart interacts with Python and Ruby interpreters. By manipulating environment variables or exploiting race conditions, attackers can inject malicious code that executes with root privileges.

In two of the vulnerabilities, CVE-2024-48990 and CVE-2024-48922, the local attacker can set an environment variable (either PYTHONPATH or RUBYLIB), then run a script to wait for needrestart to run and trick it into using the attacker’s environment to run arbitrary code,” explains the security advisory.

  • CVE-2024-48990 & CVE-2024-48992: Exploit attacker-controlled environment variables (e.g., PYTHONPATH, RUBYLIB) to execute arbitrary code.
  • CVE-2024-48991: A time-of-check time-of-use (TOCTOU) race condition allows an attacker to control the Python interpreter.
  • CVE-2024-10224 & CVE-2024-11003: These work in tandem, with needrestart passing attacker-controlled input to the Module::ScanDeps Perl module, resulting in arbitrary shell commands being executed with root privileges.

Impact and Remediation

Successful exploitation of these vulnerabilities could lead to complete system compromise, enabling attackers to steal data, install malware, or disrupt operations.

Qualys TRU has already developed working exploits for these vulnerabilities, emphasizing the urgency of patching. “While we will not disclose our exploits, please be aware that these vulnerabilities are easily exploitable, and other researchers may release working exploits shortly following this coordinated disclosure,” the report cautions.

How to check if you are impacted

On your system, run the following command and compare the listed version to the table above.

apt list –installed | grep “^\(needrestart\|libmodule-scandeps-perl\)”

Mitigation Steps

The most effective mitigation is to update needrestart to version 3.8, which includes the necessary fixes. Alternatively, users can disable the vulnerable interpreter heuristic within the needrestart configuration file (/etc/needrestart/needrestart.conf) by adding the following line:

$nrconf{interpscan} = 0;

Call to Action

Given the severity of these vulnerabilities and the availability of exploits, it is crucial for Ubuntu Server users to take immediate action to mitigate the risk. Updating needrestart or disabling the vulnerable feature should be prioritized to protect systems from potential compromise.

For detailed technical insights, refer to the Qualys vulnerability report.

Related Posts: