Five local privilege escalation (LPE) vulnerabilities have been discovered in the needrestart utility used by Ubuntu Linux, which was introduced over 10 years ago in version 21.04.

The flaws were discovered by Qualys and are tracked as CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003. They were introduced in needrestart version 0.8, released in April 2014, and fixed only yesterday, in version 3.8.

Needrestart is a utility commonly used on Linux, including on Ubuntu Server, to identify services that require a restart after package updates, ensuring that those services run the most up-to-date versions of shared libraries.

Summary of LPE flaws

The five flaws Qualys discovered allow attackers with local access to a vulnerable Linux system to escalate their privilege to root without user interaction.

Complete information about the flaws was made available in a separate text file, but a summary can be found below:

• CVE-2024-48990: Needrestart executes the Python interpreter with a PYTHONPATH environment variable extracted from running processes. If a local attacker controls this variable, they can execute arbitrary code as root during Python initialization by planting a malicious shared library.
• CVE-2024-48992: The Ruby interpreter used by needrestart is vulnerable when processing an attacker-controlled RUBYLIB environment variable. This allows local attackers to execute arbitrary Ruby code as root by injecting malicious libraries into the process.
• CVE-2024-48991: A race condition in needrestart allows a local attacker to replace the Python interpreter binary being validated with a malicious executable. By timing the replacement carefully, they can trick needrestart into running their code as root.
• CVE-2024-10224: Perl's ScanDeps module, used by needrestart, improperly handles filenames provided by the attacker. An attacker can craft filenames resembling shell commands (e.g., command|) to execute arbitrary commands as root when the file is opened.
• CVE-2024-11003: Needrestart's reliance on Perl's ScanDeps module exposes it to vulnerabilities in ScanDeps itself, where insecure use of eval() functions can lead to arbitrary code execution when processing attacker-controlled input.

It is important to note that, in order to exploit these flaws, an attacker would have to local access to the operating system through malware or a compromised account, which somewhat mitigates the risk.

However, attackers exploited similar Linux elevation of privilege vulnerabilities in the past to gain root, including the Loony Tunables and one exploiting a nf_tables bug, so this new flaw should not be dismissed just because it requires local access. 

With the widespread use of needrestart and the very long time it has been vulnerable, the above flaws could create opportunities for privilege elevation on critical systems.

Apart from upgrading to version 3.8 or later, which includes patches for all the identified vulnerabilities, it is recommended to modify the needrestart.conf file to disable the interpreter scanning feature, which prevents the vulnerabilities from being exploited.

# Disable interpreter scanners.
 $nrconf{interpscan} = 0;

This should stop needrestart from executing interpreters with potentially attacker-controlled environment variables.