Vulnerabilities in Ubuntu standard component “needrestart”

Researchers from the Qualys Threat Research Unit have discovered five vulnerabilities in the Ubuntu standard component “needrestart”. The vulnerabilities allow local privilege escalation (LPE) on affected systems.

These vulnerabilities can be exploited by any non-privileged user to gain full root access without requiring user interaction. The identified vulnerabilities have been assigned the CVE identifiers CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224 and CVE-2024-11003, emphasizing the need for immediate remediation to protect system integrity.

The Qualys TRU team has successfully developed functional exploits for these vulnerabilities. While we will not be disclosing our exploits, it should be recognized that these vulnerabilities are easily exploitable and other researchers may release working exploits shortly after this coordinated disclosure.

These vulnerabilities have existed since the introduction of interpreter support in version 0.8 of needrestart, which was released in April 2014.

What is needrestart?

Needrestart is a utility that scans systems to determine if a restart is required for the system or its services. In particular, it flags services for a restart if they use obsolete shared libraries – for example, if a library is replaced during a package update.

As it is integrated into server images, needrestart is set to run automatically after APT operations such as installation, upgrade or removal, including unattended upgrades. Its main task is to identify services that need to be restarted after critical library updates, such as the C library (glibc). This process ensures that services use the latest library versions without requiring a full system reboot, improving uptime and performance. By instantly updating services with the latest libraries, needrestart is critical to maintaining the security and efficiency of Ubuntu Server.

Affected needrestart versions:

The vulnerabilities are present in the needrestart component, which is installed by default on Ubuntu servers since version 21.04 and affects a significant number of deployments worldwide. In versions prior to 3.8, the component allows local attackers to execute arbitrary code as root. This exploit is achieved by manipulating an attacker-controlled environment variable that affects the Python/Ruby interpreter by passing uncleaned data to a library that expects safe input, allowing the execution of arbitrary shell commands. Versions of needrestart prior to 3.8 are affected, and a fix is available in version 3.8.

Possible effects

These vulnerabilities in the needrestart utility allow local users to escalate their privileges by executing arbitrary code during package installations or updates, often running needrestart as the root user.

An attacker exploiting these vulnerabilities could gain root access and jeopardize system integrity and security.

This poses significant risks to companies, including unauthorized access to sensitive data, installation of malware and disruption to business operations. It could lead to data breaches, non-compliance and loss of trust with customers and stakeholders, ultimately impacting the company’s reputation. Companies should quickly mitigate this risk by updating the software or disabling the vulnerable feature.

Steps to reduce risk

Deactivating the interpreter heuristics in the configuration of needrestart prevents this attack. The configuration file of needrestart is normally located under /etc/needrestart/needrestart.conf. This file contains various settings that control the behavior of the needrestart utility.

Further technical information here.