The needrestart package installed by default in Ubuntu Server (starting with version 21.04) discovered a number of ten-year-old security vulnerabilities that could allow a local attacker to gain root privileges without the need for user interaction.
Qualys Threat Research Unit (TRU) which detected and reported flaws early last month, said they are trivial to use, requiring users to move quickly to apply fixes. The vulnerabilities are believed to have existed since the introduction of translator support in the need to restart 0.8which was released on April 27, 2014.
“These needrestart exploits allow local privilege elevation (LPE), which means a local attacker can gain root privileges”, Ubuntu said in the guidance, noting that they were addressed in version 3.8.
Needrestart is a utility that scans the system to identify services that need to be restarted after applying shared library updates in a way that avoids a complete system restart.
The five disadvantages are listed below –
- CVE-2024-48990 (CVSS Score: 7.8) – Vulnerability that allows local attackers to execute arbitrary code as root by causing needrestart to launch the Python interpreter with an attacker-controlled PYTHONPATH environment variable
- CVE-2024-48991 (CVSS Score: 7.8) – Vulnerability that allows local attackers to execute arbitrary code as root, winning a race and causing needrestart to run their own fake Python interpreter
- CVE-2024-48992 (CVSS Score: 7.8) – Vulnerability that allows local attackers to execute arbitrary code as root by causing needrestart to launch the Ruby interpreter with an attacker-controlled RUBYLIB environment variable
- CVE-2024-11003 (CVSS score: 7.8) and CVE-2024-10224 (CVSS Score: 5.3) – Two vulnerabilities that could allow a local attacker to execute arbitrary shell commands as root by taking advantage of an issue in the libmodule-scandeps-perl package (before version 1.36)
Successful exploitation of the above flaws could allow a local attacker to set specially crafted environment variables to PYTHONPATH or RUBYLIB, which could lead to the execution of arbitrary code pointing to the threat actor’s environment when needrestart is invoked.
“In CVE-2024-10224 (…), an attacker-controlled input could cause the Module::ScanDeps Perl module to run arbitrary shell commands by opening a “nuisance channel” (for example, passing “commands|” as a filename ) or by passing arbitrary strings to eval(),” Ubuntu noted.
“This alone is not enough for local privilege enhancement. However, in CVE-2024-11003, needrestart passes attacker-controlled input (filenames) to Module::ScanDeps and runs CVE-2024-10224 with root privileges. The fix for CVE-2024-11003 removes the needrestart dependency on Module::ScanDeps.”
While downloading the latest patches is highly recommended, Ubuntu advises that users can disable interpreter scanners if they need to restart the configuration file as a temporary mitigation and ensure that changes are reversed after applying updates.
“These vulnerabilities in the needrestart utility allow local users to elevate their privileges by executing arbitrary code during the installation or update of packages, where needrestart is often run as the root user,” said Saeed Abbasi, TRU product manager at Qualys.
“An attacker exploiting these vulnerabilities could gain root access, compromising system integrity and security.”