Qualys TRU Uncovers Five Local Privilege Escalation Vulnerabilities in needrestart
Last updated on: November 21, 2024
Table of Contents
- What is needrestart?
- Affected needrestart Versions:
- Potential Impact
- Steps to Mitigate Risk
- Technical Details
- Qualys QID Coverage
- Mitigate Risk with Qualys TruRisk Mitigate
- Discover Vulnerable Assets Using Qualys CyberSecurity Asset Management (CSAM)
- Enhance Your Security Posture with Qualys Vulnerability Management, Detection, and Response (VMDR)
- Conclusion
The Qualys Threat Research Unit (TRU) has identified five Local Privilege Escalation (LPE) vulnerabilities within the needrestart component, which is installed by default on Ubuntu Server. These vulnerabilities can be exploited by any unprivileged user to gain full root access without requiring user interaction. The identified flaws have been assigned the CVE identifiers CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003, highlighting the need for immediate remediation to protect system integrity.
Our TRU team has successfully developed functional exploits for these vulnerabilities. While we will not disclose our exploits, please be aware that these vulnerabilities are easily exploitable, and other researchers may release working exploits shortly following this coordinated disclosure.
These vulnerabilities have been present since the introduction of interpreter support in needrestart version 0.8, released in April 2014.
What is needrestart?
Needrestart is a utility that scans your system to determine whether a restart is necessary for the system or its services. Specifically, it flags services for restart if they’re using outdated shared libraries—such as when a library is replaced during a package update. Because it is integrated into server images, needrestart is set to automatically run after APT operations like install, upgrade, or remove, including unattended upgrades. Its primary role is identifying services that require restarting after critical library updates, such as the C library (glibc). This process ensures that services utilize the latest library versions without requiring a complete system reboot, enhancing uptime and performance. By promptly updating services with the newest libraries, needrestart is vital for maintaining the security and efficiency of Ubuntu Server.
Affected needrestart Versions:
The vulnerabilities are present in the needrestart component, installed by default on Ubuntu Server since version 21.04, impacting a substantial number of deployments globally. In versions prior to 3.8, the component allows local attackers to execute arbitrary code as root. This exploit is achieved by manipulating an attacker-controlled environment variable that influences the Python/Ruby interpreter, passing unsanitized data to a library that expects safe input, thereby enabling the execution of arbitrary shell commands.
Versions of needrestart prior to 3.8 are affected, and a fix is available in version 3.8.
While needrestart has been installed by default on Ubuntu Server since version 21.04, it can also be manually installed on desktop systems or older server releases. Ubuntu’s Security Team has backported patches to older needrestart versions in LTS releases, including 3.6, 3.5, 3.4, 3.1, and 2.6.
Besides Ubuntu, other Linux distributions include vulnerable versions of needrestart in their package repositories. We highly recommend verifying whether needrestart is installed on systems and ensuring they are running version 3.8 or have applied the necessary backported security patches.
Potential Impact
These vulnerabilities in the needrestart utility allow local users to escalate their privileges by executing arbitrary code during package installations or upgrades, where needrestart is often run as the root user.
An attacker exploiting these vulnerabilities could gain root access, compromising system integrity and security.
This poses considerable risks for enterprises, including unauthorized access to sensitive data, malware installation, and disruption of business operations. It could lead to data breaches, regulatory non-compliance, and erosion of trust among customers and stakeholders, ultimately affecting the organization’s reputation. Enterprises should swiftly mitigate this risk by updating the software or disabling the vulnerable feature.
Steps to Mitigate Risk
Disabling the interpreter heuristic in needrestart’s config prevents this attack. The needrestart configuration file is typically located at /etc/needrestart/needrestart.conf. This file contains various settings that control the behavior of the needrestart utility.
# Disable interpreter scanners. $nrconf{interpscan} = 0;
This modification will disable the interpreter scanning feature.
Technical Details
You can find the technical details of this vulnerability at: https://www.qualys.com/2024/11/19/needrestart/needrestart.txt
Qualys QID Coverage
Qualys is releasing the QIDs in the table below as they become available.
QID | Title | Version | Supported On |
382375 | needrestart Multiple Local Privilege Escalation (LPE) Vulnerabilities | Available by noon | Scanner + Agent + CS Sensor |
Mitigate Risk with Qualys TruRisk Mitigate
Qualys TruRisk Eliminate helps you mitigate these needrestart vulnerabilities without applying patches. It provides comprehensive solutions that go beyond traditional patch management, ensuring that all vulnerabilities can be effectively addressed.
To begin with, you can search for currently supported mitigable vulnerabilities using the Qualys Query Language (QQL) token:
“vulnerabilities.qualysMitigable:TRUE”
In this case, to specifically search for vulnerabilities affecting the Ubuntu operating system, use the following QQL:
“vulnerabilities.qualysMitigable:TRUE and vulnerabilities.vulnerability.category:`Ubuntu`”
Please note: At the time of releasing the mitigation, the official vendor-provided patch was unavailable.
Selecting the type of mitigant allows you to mitigate the vulnerability using the modification in the needrestart.conf file.
Clicking on “Mitigate Now” protects you from this vulnerability.
Discover Vulnerable Assets Using Qualys CyberSecurity Asset Management (CSAM)
The initial and crucial step in managing this critical vulnerability and mitigating associated risks involves pinpointing all assets susceptible to this specific issue. Use CyberSecurity Asset Management (CSAM) to identify your organization’s instances that have vulnerable versions of needrestart or are at their End of Life (EOL) or End of Support (EOS).
In the following example, we aim to identify all assets running the Ubuntu Server:
operatingSystem:ubuntu
software:(name:"needrestart”)
Enhance Your Security Posture with Qualys Vulnerability Management, Detection, and Response (VMDR)
Qualys VMDR offers comprehensive coverage and visibility into vulnerabilities, empowering organizations to rapidly respond, prioritize, and mitigate the associated risks.
Leverage the power of Qualys VMDR alongside TruRisk and the Qualys Query Language (QQL) to efficiently identify and prioritize vulnerable assets, effectively addressing the vulnerabilities highlighted above.
Use this QQL statement:
vulnerabilities.vulnerability.cveIds:[CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, CVE-2024-11003]
Conclusion
In conclusion, these local privilege escalation vulnerabilities in the needrestart, recently discovered by the Qualys Threat Research Unit, are alarming. These vulnerabilities allow local users to escalate their privileges to the root user level. An attacker exploiting these vulnerabilities could gain root access, compromising system integrity and security. Such a breach poses risks to enterprises, including unauthorized access to sensitive data, malware installation, and potential disruption of business operations. To mitigate these risks, enterprises are urged to promptly update the software or disable the affected feature.