Qualys TRU Uncovers Five Local Privilege Escalation Vulnerabilities in needrestart

The Qualys Threat Research Unit (TRU) has identified five Local Privilege Escalation (LPE) vulnerabilities within the needrestart component, which is installed by default on Ubuntu Server. These vulnerabilities can be exploited by any unprivileged user to gain full root access without requiring user interaction. The identified flaws have been assigned the CVE identifiers CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003, highlighting the need for immediate remediation to protect system integrity.

Our TRU team has successfully developed functional exploits for these vulnerabilities. While we will not disclose our exploits, please be aware that these vulnerabilities are easily exploitable, and other researchers may release working exploits shortly following this coordinated disclosure.

These vulnerabilities have been present since the introduction of interpreter support in needrestart version 0.8, released in April 2014.

What is needrestart?

Needrestart is a utility that scans your system to determine whether a restart is necessary for the system or its services. Specifically, it flags services for restart if they're using outdated shared libraries-such as when a library is replaced during a package update. Because it is integrated into server images, needrestart is set to automatically run after APT operations like install, upgrade, or remove, including unattended upgrades. Its primary role is identifying services that require restarting after critical library updates, such as the C library (glibc). This process ensures that services utilize the latest library versions without requiring a complete system reboot, enhancing uptime and performance. By promptly updating services with the newest libraries, needrestart is vital for maintaining the security and efficiency of Ubuntu Server.

Affected needrestart Versions:

The vulnerabilities are present in the needrestart component, installed by default on Ubuntu Server since version 21.04, impacting a substantial number of deployments globally. In versions prior to 3.8, the component allows local attackers to execute arbitrary code as root. This exploit is achieved by manipulating an attacker-controlled environment variable that influences the Python/Ruby interpreter, passing unsanitized data to a library that expects safe input, thereby enabling the execution of arbitrary shell commands.

Versions of needrestart prior to 3.8 are affected, and a fix is available in version 3.8.

Potential Impact

These vulnerabilities in the needrestart utility allow local users to escalate their privileges by executing arbitrary code during package installations or upgrades, where needrestart is often run as the root user.

An attacker exploiting these vulnerabilities could gain root access, compromising system integrity and security.

This poses considerable risks for enterprises, including unauthorized access to sensitive data, malware installation, and disruption of business operations. It could lead to data breaches, regulatory non-compliance, and erosion of trust among customers and stakeholders, ultimately affecting the organization's reputation. Enterprises should swiftly mitigate this risk by updating the software or disabling the vulnerable feature.

Steps to Mitigate Risk

Disabling the interpreter heuristic in needrestart's config prevents this attack. The needrestart configuration file is typically located at /etc/needrestart/needrestart.conf. This file contains various settings that control the behavior of the needrestart utility.

# Disable interpreter scanners. $nrconf{interpscan} = 0; 

This modification will disable the interpreter scanning feature.

Technical Details

You can find the technical details of this vulnerability at: https://www.qualys.com/2024/11/19/needrestart/needrestart.txt

Qualys QID Coverage

Qualys is releasing the QIDs in the table below as they become available.

Mitigate Risk with Qualys TruRisk Mitigate

helps you mitigate these needrestart vulnerabilities without applying patches. It provides comprehensive solutions that go beyond traditional patch management, ensuring that all vulnerabilities can be effectively addressed.

To begin with, you can search for currently supported mitigable vulnerabilities using the "vulnerabilities.qualysMitigable:TRUE" Qualys Query Language (QQL) token:

In this case, to specifically search for vulnerabilities affecting the Ubuntu operating system, use the following QQL: "vulnerabilities.qualysMitigable:TRUE and vulnerabilities.vulnerability.category:`Ubuntu`"

Please note: At the time of releasing the mitigation, the official vendor-provided patch was unavailable.

Selecting the type of mitigant allows you to mitigate the vulnerability using the modification in the needrestart.conf file.

Discover Vulnerable Assets Using Qualys CyberSecurity Asset Management (CSAM)

The initial and crucial step in managing this critical vulnerability and mitigating associated risks involves pinpointing all assets susceptible to this specific issue. Use CyberSecurity Asset Management (CSAM) to identify your organization's instances that have vulnerable versions of needrestart or are at their End of Life (EOL) or End of Support (EOS).

In the following example, we aim to identify all assets running the Ubuntu Server:

operatingSystem:ubuntu

software:(name:"needrestart")

Enhance Your Security Posture with Qualys Vulnerability Management, Detection, and Response (VMDR)

Qualys VMDR offers comprehensive coverage and visibility into vulnerabilities, empowering organizations to rapidly respond, prioritize, and mitigate the associated risks.

Leverage the power of Qualys VMDR alongside TruRisk and the Qualys Query Language (QQL) to efficiently identify and prioritize vulnerable assets, effectively addressing the vulnerabilities highlighted above.

Use this QQL statement:

vulnerabilities.vulnerability.cveIds:[CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, CVE-2024-11003]

Conclusion

In conclusion, these local privilege escalation vulnerabilities in the needrestart, recently discovered by the Qualys Threat Research Unit, are alarming. These vulnerabilities allow local users to escalate their privileges to the root user level. An attacker exploiting these vulnerabilities could gain root access, compromising system integrity and security. Such a breach poses risks to enterprises, including unauthorized access to sensitive data, malware installation, and potential disruption of business operations. To mitigate these risks, enterprises are urged to promptly update the software or disable the affected feature.

Related

Public link

Please use the above public link if you want to share this noodl on another website.