OP Yesterday - 07:16 PM
Five local privilege escalation vulnerabilities have been identified in the needrestart utility, which has been used in Ubuntu since version 21.04 and was introduced more than 10 years ago. The bugs allow a local attacker to obtain root privileges without requiring user interaction.
Needrestart is a popular utility widely used in Linux, including Ubuntu Server, to determine services that require a restart after a package update.
The issues were discovered by Qualys and received identifiers: CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224 and CVE-2024-11003. All vulnerabilities appeared in the code of needrestart version 0.8, released in April 2014, and were fixed only this week, with the release of version 3.8 .
Detailed information about the issues found is available in a separate text file , and a brief description of them can be seen below.
CVE-2024-48990 (CVSS score 7.8): needrestart launches the Python interpreter using the PYTHONPATH variable retrieved from running processes. If a local attacker controls this variable, they can execute arbitrary code as root during Python initialization using a malicious shared library.
CVE-2024-48992 (CVSS score 7.8): The Ruby interpreter used by needrestart is vulnerable to a vulnerability in its handling of an attacker-controlled RUBYLIB variable. This allows local attackers to execute arbitrary Ruby code as root by injecting malicious libraries into the process.
CVE-2024-48991 (CVSS Score 7.8): A race condition in needrestart allows a local attacker to replace the Python interpreter binary with a malicious executable. By carefully timing the replacement, attackers can trick needrestart into running their own code with root privileges.
CVE-2024-10224 (CVSS score 5.3): The Perl ScanDeps module used by needrestart does not properly handle attacker-supplied filenames. As a result, an attacker can use filenames similar to shell commands (e.g., command|) to execute arbitrary commands when opening a file with root privileges.
CVE-2024-11003 (CVSS score 7.8): Use of the ScanDeps Perl module exposes ScanDeps itself to needrestart vulnerabilities, where unsafe use of eval() functions can lead to arbitrary code execution when processing attacker-supplied input.
It is emphasized that to exploit these vulnerabilities, an attacker must have local access to the system previously obtained (for example, via malware or a hacked account).
The researchers warn that given the widespread distribution of needrestart and the long history of the vulnerabilities, these flaws can be used to escalate privileges on critical systems.
In addition to updating to version 3.8 or later, which already contains patches, it is recommended to modify the needrestart.conf file to disable the interpreter scanning feature, which prevents exploitation of the bugs: $nrconf{interpscan} = 0.
Needrestart is a popular utility widely used in Linux, including Ubuntu Server, to determine services that require a restart after a package update.
The issues were discovered by Qualys and received identifiers: CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224 and CVE-2024-11003. All vulnerabilities appeared in the code of needrestart version 0.8, released in April 2014, and were fixed only this week, with the release of version 3.8 .
Detailed information about the issues found is available in a separate text file , and a brief description of them can be seen below.
CVE-2024-48990 (CVSS score 7.8): needrestart launches the Python interpreter using the PYTHONPATH variable retrieved from running processes. If a local attacker controls this variable, they can execute arbitrary code as root during Python initialization using a malicious shared library.
CVE-2024-48992 (CVSS score 7.8): The Ruby interpreter used by needrestart is vulnerable to a vulnerability in its handling of an attacker-controlled RUBYLIB variable. This allows local attackers to execute arbitrary Ruby code as root by injecting malicious libraries into the process.
CVE-2024-48991 (CVSS Score 7.8): A race condition in needrestart allows a local attacker to replace the Python interpreter binary with a malicious executable. By carefully timing the replacement, attackers can trick needrestart into running their own code with root privileges.
CVE-2024-10224 (CVSS score 5.3): The Perl ScanDeps module used by needrestart does not properly handle attacker-supplied filenames. As a result, an attacker can use filenames similar to shell commands (e.g., command|) to execute arbitrary commands when opening a file with root privileges.
CVE-2024-11003 (CVSS score 7.8): Use of the ScanDeps Perl module exposes ScanDeps itself to needrestart vulnerabilities, where unsafe use of eval() functions can lead to arbitrary code execution when processing attacker-supplied input.
It is emphasized that to exploit these vulnerabilities, an attacker must have local access to the system previously obtained (for example, via malware or a hacked account).
The researchers warn that given the widespread distribution of needrestart and the long history of the vulnerabilities, these flaws can be used to escalate privileges on critical systems.
In addition to updating to version 3.8 or later, which already contains patches, it is recommended to modify the needrestart.conf file to disable the interpreter scanning feature, which prevents exploitation of the bugs: $nrconf{interpscan} = 0.
![[Image: Nuttela-Signature.gif]](https://i.ibb.co/VT79K5v/Nuttela-Signature.gif)
![[Image: Sig.png]](https://i.ibb.co/xh4Mcd3/Sig.png)
![[Image: PeAsULK.gif]](https://i.imgur.com/PeAsULK.gif)