Decade-Old Vulnerabilities in Ubuntu Server Allow Attackers to Gain Root Access

Several decade-old Local Privilege Escalation (LPE) vulnerabilities found in the needrestart component, installed by default in Ubuntu Server, allow local attackers to gain root access on the system.

Needrestart is a utility that checks whether the system needs to be rebooted or if any services need to be restarted after performing APT operations such as installation, upgrade, or removal of packages. This component has been installed by default in Ubuntu Server since version 21.04, and due to its integration with server images, needrestart automatically runs after APT operations.

The vulnerabilities in the needrestart component affect a significant number of deployments worldwide. These vulnerabilities were likely introduced with interpreter support in needrestart version 0.8, released in April 2014.

Vulnerabilities such as CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003 indicate the need for immediate remediation to ensure system integrity.

CVE-2024-48990 (CVSS score: 7.8) — By using an attacker-controlled PYTHONPATH environment variable, needrestart can be tricked into launching the Python interpreter, allowing local attackers to run arbitrary code as root.

CVE-2024-48991 (CVSS score: 7.8) — In this vulnerability, needrestart is deceived into using a fake Python interpreter instead of the system’s actual Python interpreter, leading to a race condition and allowing local attackers to gain root access.

CVE-2024-48992 (CVSS score: 7.8) — Attackers can use an attacker-controlled RUBYLIB environment variable to trick needrestart into launching the Ruby interpreter, allowing arbitrary code execution as root.

CVE-2024-11003 (CVSS score: 7.8) and CVE-2024-10224 (CVSS score: 5.3) — These vulnerabilities allow local attackers to execute arbitrary commands.

These vulnerabilities, found in the needrestart utility, which is often run as root during package installations or upgrades, allow local users to escalate their privileges and execute arbitrary code.

Exploiting these vulnerabilities would allow attackers to gain root access, posing a serious threat to the system’s integrity and security.

Affected needrestart Versions and Fixes Available
The vulnerabilities were found in the needrestart component, which has been installed by default in Ubuntu Server since version 21.04. This component allows local attackers to execute arbitrary code as root in versions earlier than 3.8. The issue affects needrestart versions before 3.8, and version 3.8 includes fixes.

Disabling the interpreter detection feature in needrestart’s configuration can prevent this flaw.

The needrestart configuration file can be found at /etc/needrestart/needrestart.conf. This file contains various options that control the behavior of the needrestart utility. Disabling the interpreter scanning feature is an effective way to avoid this vulnerability.

Organizations should quickly reduce this risk by removing the vulnerable feature or updating the software.