Long-standing security flaws have come to light in the needrestart package—an integral component of Ubuntu Server since version 21.04—that could grant local attackers root-level access without any user intervention.
The vulnerabilities, unearthed by the Qualys Threat Research Unit (TRU), trace their origins to needrestart 0.8, a version that introduced interpreter support on April 27, 2014. This means these flaws have lurked undetected for nearly a decade. TRU described the exploits as alarmingly straightforward, urging immediate application of patches to mitigate risk.
“These vulnerabilities enable Local Privilege Escalation (LPE), empowering local attackers to achieve root-level access,” Ubuntu detailed in its advisory. Version 3.8 of the package rectifies these issues, which also affect other Linux distributions like Debian.
What Is Needrestart?
Needrestart is a system utility that identifies which services require restarting after shared library updates, circumventing the need for a complete reboot. Despite its utility, these flaws expose a dangerous attack surface.
Dissecting the Flaws
Five critical vulnerabilities have been cataloged, each carrying the potential to compromise system integrity:
- CVE-2024-48990 (CVSS Score: 7.8)
This flaw allows attackers to manipulate the PYTHONPATH environment variable, coercing needrestart into executing arbitrary Python code with root privileges. - CVE-2024-48991 (CVSS Score: 7.8)
Exploits a race condition that tricks needrestart into invoking a malicious, attacker-crafted Python interpreter. - CVE-2024-48992 (CVSS Score: 7.8)
Enables execution of arbitrary Ruby code by hijacking the RUBYLIB environment variable. - CVE-2024-10224 (CVSS Score: 5.3) & CVE-2024-11003 (CVSS Score: 7.8)
These paired vulnerabilities involve the libmodule-scandeps-perl package. An attacker can use crafted input to force the execution of arbitrary shell commands when filenames are passed to the Module::ScanDeps Perl module.
Successful exploitation leverages malicious environment variables to execute unauthorized code during needrestart’s runtime. Attackers gain an avenue to execute shell commands or Python/Ruby scripts, resulting in full system compromise.
The Exploitation Chain
Ubuntu noted that CVE-2024-10224, on its own, is insufficient for privilege escalation. However, when combined with CVE-2024-11003, needrestart’s dependency on Module::ScanDeps becomes a critical weakness. The latest fix addresses this by severing the dependency entirely.
Mitigation Recommendations
While deploying the patched version is paramount, Ubuntu has provided a provisional workaround. Disabling interpreter scanning in the needrestart configuration file offers a temporary safeguard. However, users must re-enable the feature once patches are applied to restore normal functionality.
“These flaws expose systems to unauthorized privilege escalation during package upgrades or installations when needrestart runs with root permissions,” explained Saeed Abbasi, product manager at Qualys. “Such exploits jeopardize system security and integrity, providing a backdoor for attackers to achieve root access.”
For administrators and users alike, swift action is imperative to shield systems from these critical vulnerabilities.