5 native privilege escalation (LPE) vulnerabilities have been found within the needrestart utility utilized by Ubuntu Linux, which was launched over 10 years in the past in model 21.04.
The failings had been found by Qualys and are tracked as CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003. They had been launched in needrestart model 0.8, launched in April 2014, and glued solely yesterday, in model 3.8.
Needrestart is a utility generally used on Linux, together with on Ubuntu Server, to determine providers that require a restart after package deal updates, making certain that these providers run probably the most up-to-date variations of shared libraries.
Abstract of LPE flaws
The 5 flaws Qualys found enable attackers with native entry to a susceptible Linux system to escalate their privilege to root with out consumer interplay.
Full details about the failings was made out there in a separate textual content file, however a abstract might be discovered under:
- CVE-2024-48990: Needrestart executes the Python interpreter with a PYTHONPATH setting variable extracted from operating processes. If an area attacker controls this variable, they will execute arbitrary code as root throughout Python initialization by planting a malicious shared library.
- CVE-2024-48992: The Ruby interpreter utilized by needrestart is susceptible when processing an attacker-controlled RUBYLIB setting variable. This enables native attackers to execute arbitrary Ruby code as root by injecting malicious libraries into the method.
- CVE-2024-48991: A race situation in needrestart permits an area attacker to exchange the Python interpreter binary being validated with a malicious executable. By timing the alternative rigorously, they will trick needrestart into operating their code as root.
- CVE-2024-10224: Perl’s ScanDeps module, utilized by needrestart, improperly handles filenames supplied by the attacker. An attacker can craft filenames resembling shell instructions (e.g., command|) to execute arbitrary instructions as root when the file is opened.
- CVE-2024-11003: Needrestart’s reliance on Perl’s ScanDeps module exposes it to vulnerabilities in ScanDeps itself, the place insecure use of eval() features can result in arbitrary code execution when processing attacker-controlled enter.
You will need to be aware that, with the intention to exploit these flaws, an attacker must native entry to the working system by means of malware or a compromised account, which considerably mitigates the chance.
Nevertheless, attackers exploited related Linux elevation of privilege vulnerabilities previously to realize root, together with the Loony Tunables and one exploiting a nf_tables bug, so this new flaw shouldn’t be dismissed simply because it requires native entry.
With the widespread use of needrestart and the very very long time it has been susceptible, the above flaws might create alternatives for privilege elevation on important methods.
Aside from upgrading to model 3.8 or later, which incorporates patches for all of the recognized vulnerabilities, it is suggested to change the needrestart.conf file to disable the interpreter scanning characteristic, which prevents the vulnerabilities from being exploited.
# Disable interpreter scanners.
$nrconf{interpscan} = 0;
This could cease needrestart from executing interpreters with doubtlessly attacker-controlled setting variables.
