Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

  1. Blog
  2. Article

eslerm
on 19 November 2024

Needrestart local privilege escalation vulnerability fixes available


Qualys discovered vulnerabilities which allow a local attacker to gain root privileges in the needrestart package (CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, and CVE-2024-11003) and a related issue in libmodule-scandeps-perl (CVE-2024-10224). The vulnerabilities affect Debian, Ubuntu and other Linux distributions.

Canonical’s security team has released updates for the needrestart and libmodule-scandeps-perl packages for all Ubuntu releases. These packages are installed by default in all Ubuntu Server images since 21.04, but can be manually installed on any Ubuntu release (including Desktop installations). The updates remediate CVE-2024-10224, CVE-2024-11003, CVE-2024-48990, CVE-2024-48991 and CVE-2024-48992. Information on the affected versions can be found in the CVE pages linked above. If you have any of these installed, our recommendation is to update as soon as possible.

How the exploits work

These needrestart exploits allow Local Privilege Escalation (LPE) which means that a local attacker is able to gain root privileges.

In two of the vulnerabilities, CVE-2024-48990 and CVE-2024-48922, the local attacker can set an environment variable (either PYTHONPATH or RUBYLIB), then run a script to wait for needrestart to run and trick it into using the attacker’s environment to run arbitrary code (such as to create a root shell).

In CVE-24024-48991 a local attacker can control the Python interpreter by winning a time-of-check time-of-use race condition against needrestart.

In CVE-2024-10224, Qualys discovered that attacker-controlled input could cause the Module::ScanDeps Perl module to run arbitrary shell commands by open()ing a “pesky pipe” (such as by passing “commands|” as a filename) or by passing arbitrary strings to eval(). On its own, this is not enough for local privilege escalation. However, in CVE-2024-11003 needrestart passes attacker-controlled input (filenames) to Module::ScanDeps and triggers CVE-2024-10224 with root privilege. The fix for CVE-2024-11003 removes needrestart’s dependency on Module::ScanDeps.

Impacted releases

ReleasePackage NamePackage Version
Xenial (16.04)needrestart<= 2.6-1
libmodule-scandeps-perl<= 1.20-1
Bionic (18.04)needrestart<= 3.1-1ubuntu0.1
libmodule-scandeps-perl<= 1.24-1
Focal (20.04)needrestart<= 3.4-6ubuntu0.1
libmodule-scandeps-perl<= 1.27-1
Jammy (22.04)needrestart<= 3.5-5ubuntu2.1
libmodule-scandeps-perl<= 1.31-1
Noble (24.04)needrestart<= 3.6-7ubuntu4.1
libmodule-scandeps-perl<= 1.35-1
Oracular (24.10)needrestart<= 3.6-8ubuntu4
libmodule-scandeps-perl< 1.35-1

Server installations for the Jammy, Noble and Oracular releases are affected, as the needrestart package is installed by default. Desktop installations and default Ubuntu Server installations before Jammy are only affected if needrestart has been manually installed.

How to check if you are impacted

On your system, run the following command and compare the listed version to the table above.

apt list --installed | grep "^\(needrestart\|libmodule-scandeps-perl\)"

How to address

We recommend you upgrade all packages:

sudo apt update && sudo apt upgrade

If this is not possible, the affected component can be targeted:

sudo apt update && sudo apt install --only-upgrade needrestart libmodule-scandeps-perl

The unattended-upgrades feature is enabled by default for Ubuntu 16.04 LTS onwards. This service:  

  • Applies new security updates every 24 hours automatically.
  • If you have this enabled, the patches above will be automatically applied within 24 hours of being available.

Mitigation

The strongest protection is to apply the security updates. The following mitigations have also been explored. If security updates cannot be applied, you should only apply the following steps as a last resort and restore the original configuration file once updates are applied. Please note that modifying configuration files may stop future unattended upgrades from completing successfully, until these are reverted to the original content.

Follow advice from the CVE-2022-30688 needrestart advisory:

Edit /etc/needrestart/needrestart.conf to contain:

# Disable interpreter scanners.
$nrconf{interpscan} = 0;

Acknowledgements

We would like to thank Qualys for their excellent reporting and for inviting Ubuntu Security to coordinate this issue. We would also like to thank Thomas Liske from needrestart and Roderich Schupp from Module::ScanDeps for their support.

References

https://www.qualys.com/2024/11/19/needrestart/needrestart.txt
https://github.com/rschupp/Module-ScanDeps/security/advisories/GHSA-g597-359q-v529
https://phrack.org/issues/55/7.html#article
https://ubuntu.com/security/CVE-2024-48990
https://ubuntu.com/security/CVE-2024-48991
https://ubuntu.com/security/CVE-2024-48992
https://ubuntu.com/security/CVE-2024-11003
https://ubuntu.com/security/CVE-2024-10224

Related posts


Luci Stanescu
3 July 2024

What you need to know about regreSSHion: an OpenSSH server remote code execution vulnerability (CVE-2024-6387)

Security Security

Details about the high-impact CVE-2024-6387 vulnerability, nicknamed regreSSHion, and the Ubuntu fix released on the CRD. ...


Luci Stanescu
28 October 2024

Imagining the future of Cybersecurity

Ubuntu Security

October 2024 marks the 20th anniversary of Ubuntu. The cybersecurity landscape has significantly shifted since 2004. If you have been following the Ubuntu Security Team’s special three-part series podcast that we put out to mark Cybersecurity Awareness Month, you will have listened to us talk about significant moments that have shaped the ...


Lech Sandecki
23 October 2024

6 facts for CentOS users who are holding on

Cloud and server Article

Considering migrating to Ubuntu from other Linux platforms, such as CentOS? Find six useful facts to get started! ...