Vulnerability Management, Privileged access management, Patch/Configuration Management

Ubuntu affected by 10-year-old flaws in needrestart package

(Ralf – stock.adobe.com)

Ubuntu users are urged to install updates to patch flaws in the needrestart utility package that could enable local users to escalate their privileges to root without user interaction.

The five vulnerabilities were discovered by the Qualys Threat Research Unit (TRU), which first published details about the flaws on Tuesday. The affected utility, needrestart, is designed to scan the system for any services that need to be restarted after a new software installation, upgrade or removal, potentially preventing the need for a full system restart.

Attackers could potentially exploit the fact that needrestart runs with root privileges by using any of the four methods discovered by Qualys, one of which takes advantage of two separate flaws, to execute their own code as root.

The researchers determined that these flaws have been present in needrestart since version 0.8, which was released in April 2014. The package can be manually installed on any Ubuntu release, but has also been installed by default on all Ubuntu Server images since 21.04, which was released in April 2021.

4 different methods of local privilege escalation

Functional exploits for all of the needrestart vulnerabilities affecting Ubuntu Server were developed by Qualys, which chose not to publish the exploits but warned that others may develop their own exploits following the vulnerability disclosure.

The first three exploitation method manipulate needrestart’s use of a Python or Ruby interpreters to trick the utility into running the attacker’s malicious arbitrary code. The fourth exploitation method combines two flaws to exploit a flaw in the libmodule-scandeps-perl package used by needstart to analyze Perl scripts.

The first exploit involves the flaw tracked as CVE-2024-48990 in which the Python interpreter used by needrestart can be made to execute arbitrary Python code planted in a shared library on the target system. This is done by running a Python process with a PYTHONPATH directing back to the location of the attacker-controlled library.

The second exploit leverages the vulnerability tracked as CVE-2024-48991 and involves a time-of-check, time-of-use (TOCTOU) race condition in which there is enough time between when needrestart checks the location of the Python interpreter and when it executes the interpreter for an attacker to redirect needrestart to its own fake interpreter.  

The third exploit, which stems from the flaw tracked as CVE-2024-48992, is almost identical to the first exploit but instead involves the Ruby interpreter and can be achieved by running the interpreter with an attacker-controlled RUBYLIB environment variable.

The final method combines the flaws tracked as CVE-2024-11003 and CVE-2024-10224 and causes the ScanDeps module to execute arbitrary shell commands contained in an attacker-controlled file name. This is due to a combination of the failure to sanitize file names passed to ScanDeps (CVE-2024-11003) and the fact that ScanDeps recognizes file names containing a pipe character (“|”) as commands to be executed (CVE-2024-10224).

All of these flaws discovered by Qualys carry a CVSS score of 7.8, except for CVE-2024-10224, which was scored at 5.3.

How to resolve Ubuntu needstart vulnerabilities

Ubuntu maintainer Canonical released upgrades that include fixes for both the needrestart and libmodule-scandeps-perl flaws and strongly recommended users apply these upgrades in order to fix both affected packages.

These fixes are necessary for users of Ubuntu Server versions 21.04 and up as well as users of other Ubuntu installations, including desktop installations, where needrestart has been manually installed.

In cases where an immediate upgrade is not possible, the issues can be mitigated by modifying the needrestart configuration file to disable the use of interpreter scanners. These modifications may prevent other updates from completing successfully and will need to be reverted after the full fix of the vulnerabilities is applied, Canonical warned.

You can skip this ad in 5 seconds