5 native privilege escalation (LPE) vulnerabilities have been found within the needrestart utility utilized by Ubuntu Linux, which was launched over 10 years in the past in model 21.04.
The failings had been found by Qualys and are tracked as CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003. They had been launched in needrestart model 0.8, launched in April 2014, and stuck solely yesterday, in model 3.8.
Needrestart is a utility generally used on Linux, together with on Ubuntu Server, to determine providers that require a restart after package deal updates, guaranteeing that these providers run probably the most up-to-date variations of shared libraries.
Abstract of LPE flaws
The 5 flaws Qualys found enable attackers with native entry to a weak Linux system to escalate their privilege to root with out person interplay.
Full details about the issues was made accessible in a separate textual content file, however a abstract might be discovered beneath:
- CVE-2024-48990: Needrestart executes the Python interpreter with a PYTHONPATH setting variable extracted from operating processes. If a neighborhood attacker controls this variable, they will execute arbitrary code as root throughout Python initialization by planting a malicious shared library.
- CVE-2024-48992: The Ruby interpreter utilized by needrestart is weak when processing an attacker-controlled RUBYLIB setting variable. This enables native attackers to execute arbitrary Ruby code as root by injecting malicious libraries into the method.
- CVE-2024-48991: A race situation in needrestart permits a neighborhood attacker to exchange the Python interpreter binary being validated with a malicious executable. By timing the substitute rigorously, they will trick needrestart into operating their code as root.
- CVE-2024-10224: Perl’s ScanDeps module, utilized by needrestart, improperly handles filenames offered by the attacker. An attacker can craft filenames resembling shell instructions (e.g., command|) to execute arbitrary instructions as root when the file is opened.
- CVE-2024-11003: Needrestart’s reliance on Perl’s ScanDeps module exposes it to vulnerabilities in ScanDeps itself, the place insecure use of eval() capabilities can result in arbitrary code execution when processing attacker-controlled enter.
You will need to notice that, with a purpose to exploit these flaws, an attacker must native entry to the working system by way of malware or a compromised account, which considerably mitigates the chance.
Nonetheless, attackers exploited comparable Linux elevation of privilege vulnerabilities prior to now to realize root, together with the Loony Tunables and one exploiting a nf_tables bug, so this new flaw shouldn’t be dismissed simply because it requires native entry.Â
With the widespread use of needrestart and the very very long time it has been weak, the above flaws may create alternatives for privilege elevation on vital methods.
Aside from upgrading to model 3.8 or later, which incorporates patches for all of the recognized vulnerabilities, it is strongly recommended to change the needrestart.conf file to disable the interpreter scanning characteristic, which prevents the vulnerabilities from being exploited.
# Disable interpreter scanners.
 $nrconf{interpscan} = 0;
This could cease needrestart from executing interpreters with probably attacker-controlled setting variables.
