Ubuntu server: Root flaw through needrestart component
IT security researchers have discovered five root vulnerabilities in the needrestart component of Ubuntu servers.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Since Ubuntu 21.04, Ubuntu servers have come with an installed component called "needrestart" as standard. IT security researchers have now discovered five vulnerabilities in this component that could allow attackers to extend their rights to "root" access.
In their analysis, the IT researchers from Qualys write that in versions prior to 3.8 of needrestart, local attackers can execute arbitrary code as root. By manipulating an environment variable (PYTHONPATH or RUBYLIB) that affects Python and Ruby interpreters, they can pass unfiltered data to a library that expects secure input and thus execute arbitrary shell commands (CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-11003, all in the needrestart package with CVSS 7.8, risk"high" and CVE-2024-10224 in the libmodule-scandeps-perl package with CVSS 5.3 and risk"medium").
needrestart updates available
Version 3.8 of needrestart is available and closes the security gaps. The software scans the system and analyzes whether a restart is necessary for the system or services. For example, if services use outdated libraries, needrestart marks them, which is often the case after package updates, Qualys explains. It is pre-installed on the Ubuntu server and runs automatically after APT actions such as installations, upgrades or the removal of software. This allows attackers to escalate their privileges and execute arbitrary code when package installations or upgrades are running, compromising the system.
In addition to updating needrestart, the problem can be prevented by deactivating the interpreter heuristic in the configuration file of needrestart (usually /etc/needrestart/needrestart.conf). The option $nrconf{interpscan} = 0; must be set there.
Canonical has now released updated libmodule-scandeps-perl and needrestart packages for the affected Ubuntu releases. To check whether your own machines are vulnerable, it helps to issue the command sudo apt list --installed | grep "^\(needrestart\|libmodule-scandeps-perl\)". Updating the vulnerable packages is done by the command chain sudo apt update && sudo apt install --only-upgrade needrestart libmodule-scandeps-perl.
(dmk)