Decade-Old Root Access Vulnerability Found in Ubuntu

Executive Summary

On Wednesday, November 19, 2024, the Qualys Threat Research Unit identified and reported five easily exploitable full root access vulnerabilities in Ubuntu servers’ ‘needrestart’ utility [3]. The vulnerabilities have been present since the introduction of interpreter support in needrestart version 0.8, over ten years ago [1]. Needrestart is in charge of determining whether a restart is necessary for a system or its services in order to keep everything updated and upgraded [1]. The exploit associated with the vulnerabilities involves manipulating an attacker-controlled environment variable that influences the Python/Ruby interpreter, passing unsanitized data to a library that expects safe input, thus enabling shell commands [1]. The five vulnerabilities are listed below: 

• CVE-2024-48990 — A vulnerability that allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment [4].
• CVE-2024-48992 — A vulnerability that allows local attackers to execute arbitrary code as root by tricking needrestart into running the Ruby interpreter with an attacker-controlled RUBYLIB environment variable [4].
• CVE-2024-48991 — A vulnerability that allows local attackers to execute arbitrary code as root by winning a race condition and tricking needrestart into running their own, fake Python interpreter (instead of the system’s real Python interpreter) [4].
• CVE-2024-10224 & CVE-2024-11003 — These vulnerabilities allow a local attacker to execute arbitrary shell commands [4]. 

Background

Ubuntu is an open-source Linux distribution derived from Debian. It is mainly coded by the British company Canonical and a miscellaneous community of other developers from around the world. It comes in desktop, server, and core versions for IoT devices. Open-source software is typically considered as or more secure than proprietary software due to the high-level knowledge amongst the community, yet vulnerabilities can slip by often. 

Impact

Ubuntu is one of the most popular operating systems for web servers in the world. Around 47% of all websites use Ubuntu for their servers including Netflix, Snapchat, Reddit, Dropbox, Uber, Instagram, Tesla, Walmart, Bloomberg, and Wikipedia just to name a few [2]. Due to this being so recent, it is unknown as to if the vulnerabilities have already been exploited by APTs or other actors in the past. 

Significance

Due to this being found by a reputable company/team, a patch and temporary mitigation is already available for users around the world. It is recommended that all Ubuntu server owners update their systems immediately or mitigate the issue by disabling the heuristic interpreter in needrestart’s configurations [1]. These vulnerabilities show that while open-source software may be some of the most efficient code in the world, security updates should never be ignored as vulnerabilities can come without warning and compromise entire departments of your business. 

References

[1] Abbasi S., “Qualys TRU Uncovers Five Local Privilege Escalation Vulnerabilities in needrestart,” 2024 https://blog.qualys.com/vulnerabilities-threat-research/2024/11/19/qualys-tru-uncovers-five-local-privilege-escalation-vulnerabilities-in-needrestart 

[2] Emmanoulopoulou A., “infographic: How many people use Ubuntu?,” 2016 https://ubuntu.com/blog/ubuntu-is-everywhere 

[3] Lakshmanan R., “Decades-Old Security Vulnerabilities Found in Ubuntu’s Needrestart Package,” 2024 https://thehackernews.com/2024/11/decades-old-security-vulnerabilities.html 

[4] Pierluigi P., “Decade-Old Local Privilege Escalation Bugs Impacts Ubuntu Needrestart Package,” 2024 https://securityaffairs.com/171228/security/privilege-escalation-bugs-ubuntu-needrestart-package.html