Recent disclosures have revealed multiple significant security vulnerabilities within the needrestart package, which has been a default component of Ubuntu Server since version 21.04. These flaws pose a threat by enabling local attackers to escalate their privileges to root without the need for user interaction. The Qualys Threat Research Unit (TRU) uncovered these vulnerabilities and reported that they are alarmingly easy to exploit. It is essential for users to apply the necessary fixes promptly, as the vulnerabilities likely originated with the introduction of interpreter support in needrestart version 0.8, released back in 2014.
According to Ubuntu’s advisory, these vulnerabilities allow what is classified as Local Privilege Escalation (LPE), enabling local attackers to assume root privileges. Security experts highlighted that these vulnerabilities are not confined to Ubuntu but also affect Debian and other Linux distributions. The revisions made in version 3.8 of needrestart address these critical issues.
Needrestart is designed to scan systems and identify services requiring restart following shared library updates, thereby preventing the necessity for a complete system reboot. However, the newly identified flaws can lead to arbitrary code execution as root. The vulnerabilities detailed include several that result from manipulating environment variables such as PYTHONPATH and RUBYLIB, which could be exploited when needrestart is executed.
Specifically, an attacker can exploit CVE-2024-48990 and CVE-2024-48991, both scoring 7.8 on the CVSS scale. These vulnerabilities enable local attackers to execute arbitrary code by tricking the system into executing a malicious Python interpreter or by leveraging a race condition. Additional vulnerabilities, CVE-2024-48992, CVE-2024-11003, and CVE-2024-10224, also provide pathways for local code execution via crafted shell commands by exploiting issues within the libmodule-scandeps-perl package.
The exploitation of these vulnerabilities can empower local attackers to manipulate system environment variables strategically, leading to the execution of arbitrary code that points to attacker-controlled entities. Notably, the second vulnerability discussed, CVE-2024-10224, can produce these commands by improper handling of file inputs, allowing attackers to generate unexpected inputs that could trigger system commands.
While obtaining the latest patches is highly recommended, Ubuntu has also suggested a temporary mitigation: users can deactivate interpreter scanners within the needrestart configuration file. However, it’s critical that this adjustment is reverted after applying patches to ensure ongoing system integrity.
The vulnerabilities in needrestart present a substantial risk, as local users may exploit them during package installations or upgrades executed in root context. Saeed Abbasi, a product manager at Qualys, stated that an attacker who successfully leverages these vulnerabilities could secure root access, ultimately compromising the system’s integrity and security.
