Critical Vulnerabilities in Ubuntu's Needrestart Utility Expose Systems to Root Exploits

Ubuntu linux
Five Local Privilege Escalation (LPE) vulnerabilities have been identified in the widely-used needrestart utility, present by default in Ubuntu Linux since version 21.04. Discovered by Qualys, these flaws, dating back to version 0.8 released in April 2014, have now been patched in version 3.8 as of November 2024.
 

What Is Needrestart?

The needrestart utility checks which services require restarting after package updates on Linux systems. This ensures updated shared libraries are active. However, the flaws in this utility allow attackers with local access to escalate privileges to root, posing severe risks.

Overview of Vulnerabilities

CVE-2024-48990

  • Impact: Executes arbitrary code as root.
  • Cause: Relies on the PYTHONPATH environment variable extracted from running processes. An attacker can manipulate this variable to introduce malicious shared libraries.

CVE-2024-48991

  • Impact: Exploits a race condition to execute a malicious binary as root.
  • Cause: Needrestart’s validation process allows an attacker to replace the Python interpreter binary during validation.

CVE-2024-48992

  • Impact: Executes arbitrary Ruby code as root.
  • Cause: Vulnerability in processing the RUBYLIB environment variable, enabling attackers to inject harmful libraries.

CVE-2024-10224

  • Impact: Arbitrary command execution as root.
  • Cause: Mismanagement of filenames by Perl’s ScanDeps module enables attackers to execute commands resembling filenames.

CVE-2024-11003

  • Impact: Executes attacker-controlled code as root.
  • Cause: Insecure use of eval() functions in Perl’s ScanDeps module when processing user input.

Risk and Mitigation

Although these flaws require local access to exploit, they are significant. Similar vulnerabilities like Loony Tunables and nf_tables bugs have demonstrated how attackers can chain such flaws for devastating impacts.

Mitigation Steps:

  1. Update Immediately: Ensure systems are running needrestart version 3.8 or later.
  2. Restrict Access: Limit local access to trusted users.
  3. Monitor for Exploits: Use intrusion detection systems to identify attempts to leverage these flaws.

Conclusion

The discovery of these long-standing vulnerabilities in a critical utility highlights the importance of regular security audits. While the needrestart flaws are now patched, Linux administrators must remain vigilant, applying updates promptly and hardening local system access to minimize risks.

Click here for more articles…………

Click below and ‘share’ this article!