Introduction
Five critical Local Privilege Escalation (LPE) vulnerabilities have been identified in the needrestart utility and the libmodule-scandeps-perl package, both of which are installed by default on Ubuntu servers. These vulnerabilities, discovered by the Qualys Threat Research Unit (TRU) [1] [5] [7], pose significant security risks [2], allowing unprivileged users to gain root access without user interaction [1] [2] [4] [6] [7].
Description
Five critical Local Privilege Escalation (LPE) vulnerabilities have been identified in the needrestart utility [1] [7], which is installed by default on Ubuntu servers [2] [4] [6] [7], as well as in the libmodule-scandeps-perl package. Both components have been included in Ubuntu installations since version 21.04. Discovered by the Qualys Threat Research Unit (TRU) [1] [5] [7], these vulnerabilities are cataloged under CVE identifiers CVE-2024-48990 [1] [4], CVE-2024-48991 [1] [2] [3] [4] [5] [6] [7] [8], CVE-2024-48992 [1] [2] [3] [4] [5] [6] [7] [8], CVE-2024-10224 [1] [4] [5] [6] [7] [8], and CVE-2024-11003 [1] [4] [5] [6] [7] [8]. Four of these vulnerabilities are rated at 7.8 (High) on the CVSS scale and can be exploited by unprivileged users to gain full root access without user interaction, particularly in needrestart versions prior to 3.8 [2]. This issue has been present since the introduction of interpreter support in version 0.8, released in April 2014 [2], affecting Ubuntu 22.04 LTS, Ubuntu 24.04 LTS [8], and Ubuntu 24.10 installations [8].
The vulnerabilities arise from the insecure handling of attacker-controlled environment variables, specifically impacting the Python and Ruby interpreters during needrestart execution [7]. Attackers can exploit these vulnerabilities to manipulate environment variables or exploit race conditions to inject malicious code with root privileges. Notably, CVE-2024-48990 and CVE-2024-48992 leverage attacker-controlled environment variables (PYTHONPATH [5], RUBYLIB) to execute arbitrary code [5], while CVE-2024-48991 involves a time-of-check time-of-use (TOCTOU) race condition that allows control over the Python interpreter [5]. Additionally, CVE-2024-10224 and CVE-2024-11003 work in tandem [5], enabling needrestart to pass attacker-controlled input to the Module::ScanDeps Perl module [5] [8], executing arbitrary shell commands with root privileges [5]. The fix for CVE-2024-11003 removes the dependency of needrestart on Module::ScanDeps [8].
These vulnerabilities pose significant risks for enterprises [2], including unauthorized access to sensitive data [1] [2] [4] [6] [7], malware installation [1] [2] [4] [6] [7], and disruption of business operations [2] [6], which could lead to data breaches, regulatory non-compliance [2] [4] [6], and damage to organizational reputation [2]. To mitigate these risks [4] [5] [6] [7], immediate remediation is necessary [2] [4]. Users should check for installed versions of needrestart and libmodule-scandeps-perl using the command: apt list --installed | grep "^\(needrestart\|libmodule-scandeps-perl\)"
[8]. If needrestart is below version 3.5-5ubuntu2.1 on 22.04, 3.6-7ubuntu4.1 on 24.04 [8], or 3.6-8ubuntu4 on 24.10 [8], an update is necessary [8]. The update can be performed with: sudo apt update && sudo apt install --only-upgrade needrestart libmodule-scandeps-perl
[8]. Alternatively [5], users can disable the vulnerable interpreter scanning feature in the needrestart configuration file [5], typically located at /etc/needrestart/needrestart.conf [6], by setting the interpreter scanning feature to zero: $nrconf{interpscan} = 0;
[6].
Organizations are encouraged to adopt a proactive approach to vulnerability management by regularly identifying and prioritizing critical vulnerabilities [7]. Implementing robust patch management processes and monitoring for signs of exploitation are crucial steps in mitigating risk [7]. Immediate action is essential to protect systems from potential compromise and maintain security integrity. Further technical details are available on the Qualys website [6].
Conclusion
The identified vulnerabilities in the needrestart utility and libmodule-scandeps-perl package present serious security threats to Ubuntu servers, potentially leading to unauthorized access and significant operational disruptions. Immediate remediation through updates or configuration changes is crucial to mitigate these risks. Organizations must prioritize vulnerability management and implement robust security measures to safeguard their systems against future threats.
References
[1] https://www.infosecurity-magazine.com/news/5-privilege-escalation-flaws/
[2] https://enterpriseitworldmea.com/qualys-threat-research-unit-tru-uncovers-five-local-privilege-escalation-vulnerabilities-in-needrestart/
[3] https://www.infopoint-security.de/qualys-tru-deckt-fuenf-lokale-schwachstellen-in-needrestart-auf/a38995/
[4] https://techxmedia.com/qualys-discovers-five-critical-privilege-escalation-vulnerabilities-in-needrestart/
[5] https://securityonline.info/five-critical-privilege-escalation-vulnerabilities-found-in-ubuntus-default-utility-needrestart/
[6] https://securitymea.com/2024/11/20/qualys-uncovers-five-needrestart-vulnerabilities-in-ubuntu-servers/
[7] https://avice.org/5-privilege-escalation-flaws-found-in-ubuntu/
[8] https://www.neowin.net/news/ubuntu-patches-needrestart-security-vulnerability/