5 native privilege escalation (LPE) vulnerabilities have been found within the needrestart utility utilized by Ubuntu Linux, which was launched over 10 years in the past in model 21.04.
The failings had been found by Qualys and are tracked as CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003. They had been launched in needrestart model 0.8, launched in April 2014, and stuck solely yesterday, in model 3.8.
Needrestart is a utility generally used on Linux, together with on Ubuntu Server, to establish companies that require a restart after package deal updates, making certain that these companies run probably the most up-to-date variations of shared libraries.
Abstract of LPE flaws
The 5 flaws Qualys found enable attackers with native entry to a weak Linux system to escalate their privilege to root with out person interplay.
Full details about the failings was made out there in a separate textual content file, however a abstract might be discovered under:
- CVE-2024-48990: Needrestart executes the Python interpreter with a PYTHONPATH surroundings variable extracted from operating processes. If an area attacker controls this variable, they’ll execute arbitrary code as root throughout Python initialization by planting a malicious shared library.
- CVE-2024-48992: The Ruby interpreter utilized by needrestart is weak when processing an attacker-controlled RUBYLIB surroundings variable. This permits native attackers to execute arbitrary Ruby code as root by injecting malicious libraries into the method.
- CVE-2024-48991: A race situation in needrestart permits an area attacker to exchange the Python interpreter binary being validated with a malicious executable. By timing the substitute fastidiously, they’ll trick needrestart into operating their code as root.
- CVE-2024-10224: Perl’s ScanDeps module, utilized by needrestart, improperly handles filenames supplied by the attacker. An attacker can craft filenames resembling shell instructions (e.g., command|) to execute arbitrary instructions as root when the file is opened.
- CVE-2024-11003: Needrestart’s reliance on Perl’s ScanDeps module exposes it to vulnerabilities in ScanDeps itself, the place insecure use of eval() capabilities can result in arbitrary code execution when processing attacker-controlled enter.
You will need to observe that, to be able to exploit these flaws, an attacker must native entry to the working system by way of malware or a compromised account, which considerably mitigates the chance.
Nonetheless, attackers exploited related Linux elevation of privilege vulnerabilities previously to achieve root, together with the Loony Tunables and one exploiting a nf_tables bug, so this new flaw shouldn’t be dismissed simply because it requires native entry.
With the widespread use of needrestart and the very very long time it has been weak, the above flaws may create alternatives for privilege elevation on essential methods.
Other than upgrading to model 3.8 or later, which incorporates patches for all of the recognized vulnerabilities, it is suggested to change the needrestart.conf file to disable the interpreter scanning characteristic, which prevents the vulnerabilities from being exploited.
# Disable interpreter scanners.
$nrconf{interpscan} = 0;
This could cease needrestart from executing interpreters with doubtlessly attacker-controlled surroundings variables.