5 native privilege escalation (LPE) vulnerabilities had been came upon within the needrestart application utilized by Ubuntu Linux, which used to be offered over 10 years in the past in model 21.04.
The issues have been came upon through Qualys and are tracked as CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003. They have been offered in needrestart model 0.8, launched in April 2014, and stuck best the previous day, in model 3.8.
Needrestart is a application usually used on Linux, together with on Ubuntu Server, to spot products and services that require a restart after package deal updates, making sure that the ones products and services run essentially the most up-to-date variations of shared libraries.
Abstract of LPE flaws
The 5 flaws Qualys came upon permit attackers with native get admission to to a prone Linux gadget to escalate their privilege to root with out person interplay.
Whole details about the failings used to be made to be had in a separate textual content record, however a abstract may also be discovered underneath:
- CVE-2024-48990: Needrestart executes the Python interpreter with a PYTHONPATH atmosphere variable extracted from operating processes. If a neighborhood attacker controls this variable, they are able to execute arbitrary code as root throughout Python initialization through planting a malicious shared library.
- CVE-2024-48992: The Ruby interpreter utilized by needrestart is prone when processing an attacker-controlled RUBYLIB atmosphere variable. This permits native attackers to execute arbitrary Ruby code as root through injecting malicious libraries into the method.
- CVE-2024-48991: A race situation in needrestart permits a neighborhood attacker to switch the Python interpreter binary being validated with a malicious executable. Through timing the substitute sparsely, they are able to trick needrestart into operating their code as root.
- CVE-2024-10224: Perl’s ScanDeps module, utilized by needrestart, improperly handles filenames supplied through the attacker. An attacker can craft filenames such as shell instructions (e.g., command|) to execute arbitrary instructions as root when the record is opened.
- CVE-2024-11003: Needrestart’s reliance on Perl’s ScanDeps module exposes it to vulnerabilities in ScanDeps itself, the place insecure use of eval() purposes may end up in arbitrary code execution when processing attacker-controlled enter.
You will need to be aware that, so as to exploit those flaws, an attacker must native get admission to to the working gadget thru malware or a compromised account, which quite mitigates the danger.
Then again, attackers exploited equivalent Linux elevation of privilege vulnerabilities prior to now to realize root, together with the Loony Tunables and one exploiting a nf_tables computer virus, so this new flaw will have to no longer be pushed aside simply because it calls for native get admission to.
With the in style use of needrestart and the very very long time it’s been prone, the above flaws may create alternatives for privilege elevation on important programs.
Except for upgrading to model 3.8 or later, which incorporates patches for the entire known vulnerabilities, it’s endorsed to switch the needrestart.conf record to disable the interpreter scanning characteristic, which prevents the vulnerabilities from being exploited.
# Disable interpreter scanners.
$nrconf{interpscan} = 0;
This will have to forestall needrestart from executing interpreters with doubtlessly attacker-controlled atmosphere variables.