Critical Vulnerabilities in Ubuntu's Needrestart Utility Expose Systems to Root Exploits
What Is Needrestart?
The needrestart utility checks which services require restarting after package updates on Linux systems. This ensures updated shared libraries are active. However, the flaws in this utility allow attackers with local access to escalate privileges to root, posing severe risks.
Overview of Vulnerabilities
CVE-2024-48990
- Impact: Executes arbitrary code as root.
- Cause: Relies on the
PYTHONPATH
environment variable extracted from running processes. An attacker can manipulate this variable to introduce malicious shared libraries.
CVE-2024-48991
- Impact: Exploits a race condition to execute a malicious binary as root.
- Cause: Needrestart’s validation process allows an attacker to replace the Python interpreter binary during validation.
CVE-2024-48992
- Impact: Executes arbitrary Ruby code as root.
- Cause: Vulnerability in processing the
RUBYLIB
environment variable, enabling attackers to inject harmful libraries.
CVE-2024-10224
- Impact: Arbitrary command execution as root.
- Cause: Mismanagement of filenames by Perl’s ScanDeps module enables attackers to execute commands resembling filenames.
CVE-2024-11003
- Impact: Executes attacker-controlled code as root.
- Cause: Insecure use of
eval()
functions in Perl’s ScanDeps module when processing user input.
Risk and Mitigation
Although these flaws require local access to exploit, they are significant. Similar vulnerabilities like Loony Tunables and nf_tables bugs have demonstrated how attackers can chain such flaws for devastating impacts.
Mitigation Steps:
- Update Immediately: Ensure systems are running needrestart version 3.8 or later.
- Restrict Access: Limit local access to trusted users.
- Monitor for Exploits: Use intrusion detection systems to identify attempts to leverage these flaws.
Conclusion
The discovery of these long-standing vulnerabilities in a critical utility highlights the importance of regular security audits. While the needrestart flaws are now patched, Linux administrators must remain vigilant, applying updates promptly and hardening local system access to minimize risks.
Click below and ‘share’ this article!