The needrestart utility, a critical component of Ubuntu Server systems, has been found to contain multiple severe Local Privilege Escalation (LPE) vulnerabilities. Identified by the Qualys Threat Research Unit (TRU), these vulnerabilities (CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003) allow unprivileged users to gain full root access without user interaction.

Notably, these vulnerabilities have been present for nearly 10 years but were only recently discovered. Given the widespread use of needrestart since its default inclusion in Ubuntu Server 21.04, these vulnerabilities present a significant risk to system integrity and enterprise security.

This article provides an in-depth analysis of the vulnerabilities, their technical mechanisms, and actionable steps to mitigate associated risks.

Overview of CVE-2024-48990 & CVE-2024-48992
These two vulnerabilities focus on Python and Ruby interpreters within the needrestart tool.

  • CVE-2024-48990 (Python):
    This issue arises when needrestart executes Python scripts and includes attacker-controlled environment variables. Specifically, the PYTHONPATH environment variable is extracted from processes running Python and used by needrestart. If an attacker controls this environment variable, they can execute arbitrary code with root privileges when needrestart runs.
  • CVE-2024-48992 (Ruby):
    Similar to the Python vulnerability, this issue occurs when needrestart executes Ruby with an attacker-controlled RUBYLIB environment variable. This could also allow an attacker to execute arbitrary code with root privileges.

CVE-2024-48991: Race Condition in Python Interpreter Detection
This vulnerability takes advantage of a race condition during the detection of Python processes. needrestart checks processes by reading the /proc/pid/exe path, which can be exploited by attackers. The attacker can substitute the path of the Python executable while needrestart is in the process of checking it, tricking it into running a malicious version of the Python interpreter with root privileges.

  • CVE-2024-10224 & CVE-2024-11003: Command Injection via Perl’s ScanDeps Module
    Both these vulnerabilities are related to Perl’s ScanDeps module, which is used by needrestart to scan dependencies. The key issue here is that the module uses unsafe open() and eval() calls that can be exploited by attackers to run arbitrary shell commands.
  • CVE-2024-10224:
    Attackers can exploit this by controlling file names passed to open(). For instance, a filename like commands| could trigger execution of arbitrary shell commands when needrestart interacts with it.
  • CVE-2024-11003:
    This CVE addresses another exploit in the ScanDeps module, where needrestart would call Perl’s ScanDeps module in a way that allowed attackers to manipulate the file being processed, thus gaining the ability to execute arbitrary commands.

Mitigation Steps
To mitigate these vulnerabilities, the following steps can be taken:

  • Update to the latest version of needrestart (version 3.8 or above) to patch the issues directly.
  • Disable the interpreter heuristic in needrestart’s configuration to avoid exploitation via interpreter-based vulnerabilities:
  • Modify the configuration file at /etc/needrestart/needrestart.conf and set:
    $nrconf{interpscan} = 0;
  • Apply patches to older versions of needrestart (available for Ubuntu LTS versions).

These vulnerabilities allow attackers to escalate privileges to root, enabling them to:

  • Run arbitrary code during package installations/upgrades.
  • Potentially compromise the entire system through unauthorized access to critical services and data.
  • Lead to data breaches, loss of confidentiality, and possible regulatory non-compliance.
  • These vulnerabilities are trivially exploitable, meaning attackers with limited technical expertise can exploit them. The risk is significantly heightened in environments where needrestart is widely used, making
  • patching and remediation crucial. Enterprises should prioritize patching these vulnerabilities to maintain the security of their systems and data.

Security vigilance is essential in modern IT environments. Regular updates and timely application of patches are fundamental to protecting systems from escalating risks and potential breaches. The fact that these vulnerabilities have existed for almost a decade emphasizes the importance of continuously reviewing and securing system configurations to prevent exploitation.