'Alarming' security bugs lay low in Linux's needrestart utility for 10 years

Researchers at Qualys refuse to release exploit code for five bugs in the Linux world's needrestart utility that allow unprivileged local attackers to gain root access without any user interaction.

The security shop's Threat Research Unit (TRU) said it was able to develop a working exploit but wouldn't release it, describing the findings as "alarming." Regardless, they said the vulnerabilities are "easily exploitable" and urged admins to apply the recommended fixes promptly.

To be clear, the holes can be exploited by rogue and hijacked local users, or malware, already on a system to gain root access.

Saeed Abbasi, product manager at Qualys's TRU, disclosed the five vulnerabilities this week for the first time in a blog, although, according to experts, they were actually introduced in April 2014.

The vulnerabilities all lie in the needrestart utility, which, intuitively enough, is designed to determine if a restart is needed. For example, if a critical library is updated or an installation or other upgrade is made, it determines that a restart is necessary to bring in the changes and begins that reboot automatically if so.

The little tool is available separately and in various Linux distributions, and as Abbasi highlighted, is present by default in Ubuntu Server, at least.

Qualys's more detailed technical notes of the vulnerabilities explain that needrestart offers security benefits by identifying outdated source files, as these may contain bugs, while ironically also being the source of a nasty series of exploits.

"This exploit is achieved by manipulating an attacker-controlled environment variable that influences the Python/Ruby interpreter, passing unsanitized data to a library that expects safe input, thereby enabling the execution of arbitrary shell commands," Abbasi wrote.

Each of the five vulnerabilities are detailed below:

• CVE-2024-48990 (CVSSv3: 7.8): Relates to needrestart extracting the PYTHONPATH environment variable to determine whether a restart is needed. If a local attacker can control this variable, they can execute code as root.

• CVE-2024-48991 (CVSSv3: 7.8): Also concerning the Python interpreter, the utility is vulnerable to a TOCTOU race condition, which, if exploited successfully, allows an attacker to run their own Python interpreter and execute code as root. The researchers believe it also affects the Ruby interpreter but couldn't confirm in time for the disclosure.

• CVE-2024-48992 (CVSSv3: 7.8): Essentially the same bug as CVE-2024-48990, but it instead affects the Ruby interpreter, with the confirmation made shortly before the disclosure at the last hour.

• CVE-2024-10224 (CVSSv3: 5.3): Relates to needrestart's Perl interpreter, which behaves differently from the Python and Ruby equivalents, although the description notes the vulnerability technically lies in Perl's ScanDeps module, which executes the interpreter. Attackers can craft filenames in the format of the shell commands they want to execute.

• CVE-2024-11003 (CVSSv3: 7.8): Relates to CVE-2024-10224 and concerns the unsanitized input that's passed to ScanDeps that can lead to the execution of arbitrary shell commands.

• NIST's security flaw database still backlogged with 17K+ unprocessed bugs. Not great
• Nasty regreSSHion bug in OpenSSH puts roughly 700K Linux boxes at risk
• Seoul accuses North Korea of stealing southern chipmakers' designs
• So, are we going to talk about how GitHub is an absolute boon for malware, or nah?

Needrestart is installed by default and was introduced in version 0.8 more than ten years ago. All versions of the utility before 3.8 are considered vulnerable and attackers could execute code as root. Versions after 3.8 have the fix applied.

Ubuntu Server is widely used, especially for running VMs, and although there are no exact figures that show how many instances are currently vulnerable, the number is likely to be in the millions.

The vulnerabilities, however, could be worse. The fact that an attacker would need local access to an Ubuntu Server instance means prospective attackers would need to go through the added hoops of gaining such access through the likes of remote access software, malware, or valid credentials.

"An attacker exploiting these vulnerabilities could gain root access, compromising system integrity and security," Abbasi added.

"This poses considerable risks for enterprises, including unauthorized access to sensitive data, malware installation, and disruption of business operations. It could lead to data breaches, regulatory non-compliance, and erosion of trust among customers and stakeholders, ultimately affecting the organization's reputation. Enterprises should swiftly mitigate this risk by updating the software or disabling the vulnerable feature."

Upgrading to version 3.8 or later of needrestart is the recommended course of action, although Qualys also said that users can modify needrestart's configuration to disable its interpreter heuristic, which mitigates the issue. ®