Full Report
Multiple decade-old security vulnerabilities have been disclosed in the needrestart package installed by default in Ubuntu Server (since version 21.04) that could allow a local attacker to gain root privileges without requiring user interaction. The Qualys Threat Research Unit (TRU), which identified and reported the flaws early last month, said they are trivial to exploit, necessitating that
Analysis Summary
# Vulnerability: Multiple Local Privilege Escalation Flaws in Ubuntu's Needrestart Package
## CVE Details
- CVE ID: CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-11003, CVE-2024-10224
- CVSS Score: 7.8 (for CVE-2024-48990, -48991, -48992, -11003); 5.3 (for CVE-2024-10224) (Severity for 7.8 is High, for 5.3 is Medium)
- CWE: Not explicitly listed in the summary, but generally related to Improper Control of Generation of Code ('Code Injection') or Logic Errors.
## Affected Systems
- Products: Needrestart package (used by Debian, Ubuntu, and other Linux distributions)
- Versions: Vulnerabilities are believed to have existed since Needrestart version 0.8 (released April 27, 2014).
- Configurations: Affects systems running Ubuntu Server, specifically since version 21.04 where `needrestart` is installed by default.
## Vulnerability Description
Multiple vulnerabilities exist within the `needrestart` utility, which scans systems to determine which services require restarting after shared library updates. These flaws allow a local attacker to achieve Local Privilege Escalation (LPE) by tricking the utility into executing arbitrary code with root privileges.
The specific flaws identified include:
1. **CVE-2024-48990/CVE-2024-48992:** Tricking `needrestart` into executing the Python interpreter or Ruby interpreter, respectively, with an attacker-controlled environment variable (`PYTHONPATH` or `RUBYLIB`).
2. **CVE-2024-48991:** Winning a race condition to trick `needrestart` into running a fabricated Python interpreter.
3. **CVE-2024-11003/CVE-2024-10224:** Additional remote code execution/arbitrary code execution vulnerabilities (details truncated).
## Exploitation
- Status: The flaws are described as "trivial to exploit." (Implies exploitation is straightforward, though explicit W-I-W status is not given).
- Complexity: Low (Trivial to exploit).
- Attack Vector: Local (Requires the attacker to already have local access).
## Impact
- Confidentiality: High (Gaining root allows access to all system data).
- Integrity: High (Gaining root allows modification of all system files and configurations).
- Availability: High (Gaining root allows system shutdown or malicious alteration).
## Remediation
### Patches
- **Needrestart:** Patched in version **3.8**. Users should upgrade to this version or newer.
### Workarounds
- No specific workarounds are detailed in the provided text, but the mitigation involves updating the patched package. For environments where immediate patching is impossible, removing or restricting execution permissions for the `needrestart` utility may serve as a temporary measure, although this could impact system maintenance procedures.
## Detection
- Detection methods are not explicitly detailed, but indicators would involve monitoring for unexpected execution of Python or Ruby interpreters under the context of the `needrestart` command or related processes, especially those manipulating environment variables like `PYTHONPATH` or `RUBYLIB` during a system update or service check.
## References
- Vendor Advisory (Ubuntu): hxxps://ubuntu.com/blog/needrestart-local-privilege-escalation
- Researcher Report (Qualys): hxxps://blog.qualys.com/vulnerabilities-threat-research/2024/11/19/qualys-tru-uncovers-five-local-privilege-escalation-vulnerabilities-in-needrestart
- CVE-2024-48990: hxxps://ubuntu.com/security/CVE-2024-48990
- CVE-2024-48991: hxxps://ubuntu.com/security/CVE-2024-48991
- CVE-2024-48992: hxxps://ubuntu.com/security/CVE-2024-48992
- CVE-2024-11003: hxxps://ubuntu.com/security/CVE-2024-11003
- CVE-2024-10224: hxxps://ubuntu.com/security/CVE-2024-10224