5 native privilege escalation (LPE) vulnerabilities have been found within the needrestart utility utilized by default in Ubuntu Linux since model 21.04, which had been launched over 10 years in the past.
The failings had been found by Qualys and are tracked as CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003. They had been launched in needrestart model 0.8, launched in April 2014, and stuck solely yesterday, in model 3.8.
Needrestart is a utility generally used on Linux, together with on Ubuntu Server, to determine companies that require a restart after bundle updates, guaranteeing that these companies run probably the most up-to-date variations of shared libraries.
Abstract of LPE flaws
The 5 flaws Qualys found enable attackers with native entry to a weak Linux system to escalate their privilege to root with out person interplay.
Full details about the failings was made obtainable in a separate textual content file, however a abstract will be discovered beneath:
- CVE-2024-48990: Needrestart executes the Python interpreter with a PYTHONPATH surroundings variable extracted from working processes. If an area attacker controls this variable, they’ll execute arbitrary code as root throughout Python initialization by planting a malicious shared library.
- CVE-2024-48992: The Ruby interpreter utilized by needrestart is weak when processing an attacker-controlled RUBYLIB surroundings variable. This permits native attackers to execute arbitrary Ruby code as root by injecting malicious libraries into the method.
- CVE-2024-48991: A race situation in needrestart permits an area attacker to exchange the Python interpreter binary being validated with a malicious executable. By timing the alternative rigorously, they’ll trick needrestart into working their code as root.
- CVE-2024-10224: Perl’s ScanDeps module, utilized by needrestart, improperly handles filenames supplied by the attacker. An attacker can craft filenames resembling shell instructions (e.g., command|) to execute arbitrary instructions as root when the file is opened.
- CVE-2024-11003: Needrestart’s reliance on Perl’s ScanDeps module exposes it to vulnerabilities in ScanDeps itself, the place insecure use of eval() capabilities can result in arbitrary code execution when processing attacker-controlled enter.
It is very important be aware that, as a way to exploit these flaws, an attacker must native entry to the working system by malware or a compromised account, which considerably mitigates the danger.
Nevertheless, attackers exploited related Linux elevation of privilege vulnerabilities up to now to realize root, together with the Loony Tunables and one exploiting a nf_tables bug, so this new flaw shouldn’t be dismissed simply because it requires native entry.
With the widespread use of needrestart and the very very long time it has been weak, the above flaws may create alternatives for privilege elevation on essential methods.
Aside from upgrading to model 3.8 or later, which incorporates patches for all of the recognized vulnerabilities, it is suggested to change the needrestart.conf file to disable the interpreter scanning function, which prevents the vulnerabilities from being exploited.
# Disable interpreter scanners.
$nrconf{interpscan} = 0;
This could cease needrestart from executing interpreters with probably attacker-controlled surroundings variables.