Qualys revealed three vulnerabilities in the utility Needrestart, designed to restart background processes after updating the libraries used by these processes. These vulnerabilities were discovered in the version 0.8 (2014) and were addressed in the release Needrestart 3.8. This utility is included in the basic environment of Ubuntu Server from version 21.04 onwards, starting with Root rights at the end of each APT package manager transaction. It scans neglected processes and restarts those related to files that have been changed after package updates. The vulnerabilities allow a local unprivileged user to gain Root rights on Ubuntu Server in the default configuration.
The vulnerabilities have already been fixed in Debian and Ubuntu. To temporarily block the exploitation of the vulnerabilities, users can disable interpreter scanning by setting the “$nrconf {interpscan} = 0” parameter in the /etc/needrestart/needrestart.conf configuration file.
The vulnerabilities stem from the implementation of the script update detection mode for scripts launched using interpreters. Two identified issues, CVE-2024-48990 and CVE-2024-48992, allow a local user to execute ROOT code by manipulating the Python interpreter or the Ruby interpreter from Rubylib.
These vulnerabilities arise because the Needrestart utility sets the Pythonpath environment based on the contents of the /proc/pid/environ file during the process of restarting changed scripts. An attacker could exploit this by simulating a script change and setting up a PythonPath environment that will be used when executing privileged Python code. For instance, an attacker could create a Python process with a specific environment variable and library path to execute privileged Python code through Needrestart.