Qualys discovered vulnerabilities which allow a local attacker to gain root privileges in the needrestart package (CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, and CVE-2024-11003) and a related issue in libmodule-scandeps-perl (CVE-2024-10224). The vulnerabilities affect Debian, Ubuntu and other Linux distributions.

Canonical’s security team has released updates for the needrestart and libmodule-scandeps-perl packages for all Ubuntu releases. These packages are installed by default in all Ubuntu Server images since 21.04, but can be manually installed on any Ubuntu release (including Desktop installations). The updates remediate CVE-2024-10224, CVE-2024-11003, CVE-2024-48990, CVE-2024-48991 and CVE-2024-48992. Information on the affected versions can be found in the CVE pages linked above. If you have any of these installed, our recommendation is to update as soon as possible.

How the exploits work

These needrestart exploits allow Local Privilege Escalation (LPE) which means that a local attacker is able to gain root privileges.

In two of the vulnerabilities, CVE-2024-48990 and CVE-2024-48922, the local attacker can set an environment variable (either PYTHONPATH or RUBYLIB), then run a script to wait for needrestart to run and trick it into using the attacker’s environment to run arbitrary code (such as to create a root shell).

In CVE-24024-48991 a local attacker can control the Python interpreter by winning a time-of-check time-of-use race condition against needrestart.

In CVE-2024-10224, Qualys discovered that attacker-controlled input could cause the Module::ScanDeps Perl module to run arbitrary shell commands by open()ing a “pesky pipe” (such as by passing “commands|” as a filename) or by passing arbitrary strings to eval(). On its own, this is not enough for local privilege escalation. However, in CVE-2024-11003 needrestart passes attacker-controlled input (filenames) to Module::ScanDeps and triggers CVE-2024-10224 with root privilege. The fix for CVE-2024-11003 removes needrestart’s dependency on Module::ScanDeps.

Impacted releases

Release	Package Name	Package Version
Xenial (16.04)	needrestart	< 2.6-1
	libmodule-scandeps-perl	< 1.20-1
Bionic (18.04)	needrestart	< 3.1-1ubuntu0.1
	libmodule-scandeps-perl	< 1.24-1
Focal (20.04)	needrestart	< 3.4-6ubuntu0.1
	libmodule-scandeps-perl	< 1.27-1
Jammy (22.04)	needrestart	< 3.5-5ubuntu2.1
	libmodule-scandeps-perl	< 1.31-1
Noble (24.04)	needrestart	< 3.6-7ubuntu4.1
	libmodule-scandeps-perl	< 1.35-1
Oracular (24.10)	needrestart	< 3.6-8ubuntu4
	libmodule-scandeps-perl	< 1.35-1

Server installations for the Jammy, Noble and Oracular releases are affected, as the needrestart package is installed by default. Desktop installations and default Ubuntu Server installations before Jammy are only affected if needrestart has been manually installed.

How to check if you are impacted

On your system, run the following command and compare the listed version to the table above.

apt list --installed | grep "^(needrestart|libmodule-scandeps-perl)"

How to address

We recommend you upgrade all packages:

sudo apt update && sudo apt upgrade

If this is not possible, the affected component can be targeted:

sudo apt update && sudo apt install --only-upgrade needrestart libmodule-scandeps-perl

The unattended-upgrades feature is enabled by default for Ubuntu 16.04 LTS onwards. This service:  

• Applies new security updates every 24 hours automatically.
• If you have this enabled, the patches above will be automatically applied within 24 hours of being available.

Mitigation

The strongest protection is to apply the security updates. The following mitigations have also been explored. If security updates cannot be applied, you should only apply the following steps as a last resort and restore the original configuration file once updates are applied. Please note that modifying configuration files may stop future unattended upgrades from completing successfully, until these are reverted to the original content.

Follow advice from the CVE-2022-30688 needrestart advisory:

Edit /etc/needrestart/needrestart.conf to contain:

# Disable interpreter scanners.
$nrconf{interpscan} = 0;

Acknowledgements

We would like to thank Qualys for their excellent reporting and for inviting Ubuntu Security to coordinate this issue. We would also like to thank Thomas Liske from needrestart and Roderich Schupp from Module::ScanDeps for their support.

References

https://www.qualys.com/2024/11/19/needrestart/needrestart.txt
https://github.com/rschupp/Module-ScanDeps/security/advisories/GHSA-g597-359q-v529
https://phrack.org/issues/55/7.html#article
https://ubuntu.com/security/CVE-2024-48990
https://ubuntu.com/security/CVE-2024-48991
https://ubuntu.com/security/CVE-2024-48992
https://ubuntu.com/security/CVE-2024-11003
https://ubuntu.com/security/CVE-2024-10224