skip to content
Decrypt LOL

Get Cyber-Smart in Just 5 Minutes a Week

Decrypt delivers quick and insightful updates on cybersecurity. No spam, no data sharing—just the info you need to stay secure.

Read the latest edition
Critical Local Privilege Escalation Vulnerabilities Found in Needrestart

Critical Local Privilege Escalation Vulnerabilities Found in Needrestart

/ 3 min read

stories , cybersecurity , vulnerability management , local privilege escalation , qualys , ubuntu server

Quick take - The Qualys Threat Research Unit has identified five critical Local Privilege Escalation vulnerabilities in the needrestart component, which is installed by default on Ubuntu Server, allowing unprivileged users to gain root access without user interaction, and recommends immediate remediation through software updates or configuration changes to mitigate potential risks.

Fast Facts

  • The Qualys Threat Research Unit (TRU) identified five critical Local Privilege Escalation (LPE) vulnerabilities in the needrestart component, affecting versions prior to 3.8, installed by default on Ubuntu Server.
  • Exploitation of these vulnerabilities (CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, CVE-2024-11003) allows unprivileged users to gain root access without user interaction, particularly during package installations or upgrades.
  • Immediate remediation is recommended, either by updating to needrestart version 3.8 or disabling the vulnerable feature in the configuration file.
  • The vulnerabilities could lead to unauthorized access to sensitive data, potential malware installation, and significant disruptions to business operations, including data breaches and regulatory non-compliance.
  • Qualys is releasing identifiers related to these vulnerabilities and offers solutions through Qualys TruRisk and CyberSecurity Asset Management (CSAM) to help organizations identify and mitigate risks without immediate patch application.

Five Critical Local Privilege Escalation Vulnerabilities Identified in Needrestart Component

The Qualys Threat Research Unit (TRU) has identified five critical Local Privilege Escalation (LPE) vulnerabilities in the needrestart component, which is installed by default on Ubuntu Server. The vulnerabilities have been assigned the CVE identifiers:

  • CVE-2024-48990
  • CVE-2024-48991
  • CVE-2024-48992
  • CVE-2024-10224
  • CVE-2024-11003

These vulnerabilities can be exploited by unprivileged users to gain full root access without any user interaction required for exploitation. Immediate remediation is strongly recommended to protect the integrity of affected systems.

Exploit Development and Vulnerability History

The TRU team has developed functional exploits for these vulnerabilities but has chosen not to disclose them publicly. It is anticipated that other researchers may release working exploits following coordinated disclosure efforts. The vulnerabilities have existed since the introduction of interpreter support in needrestart version 0.8, which was released in April 2014.

Needrestart is a utility designed to scan systems and determine whether a restart is necessary, specifically flagging services for restart when they are using outdated shared libraries after package updates. These vulnerabilities affect needrestart versions prior to 3.8 and enable local attackers to execute arbitrary code as root by manipulating an attacker-controlled environment variable, particularly during package installations or upgrades when needrestart typically runs as the root user.

Risks and Mitigation Strategies

If successfully exploited, these vulnerabilities could lead to unauthorized access to sensitive data, potential malware installation, and significant disruptions to business operations. The potential consequences include data breaches, regulatory non-compliance, and lasting damage to an organization’s reputation.

To mitigate these risks, enterprises are advised to update the needrestart software to version 3.8, where a fix for these vulnerabilities is available. Alternatively, organizations can disable the vulnerable feature by modifying the configuration file located at /etc/needrestart/needrestart.conf, specifically by disabling the interpreter heuristic.

Qualys is in the process of releasing Qualys Identifiers (QIDs) related to these vulnerabilities, which will be made available as they are ready. Qualys TruRisk provides solutions to mitigate these vulnerabilities without requiring immediate patch application. Organizations can utilize Qualys CyberSecurity Asset Management (CSAM) to identify vulnerable instances of needrestart, while Qualys VMDR offers comprehensive coverage and visibility into vulnerabilities, aiding in rapid response and prioritization of remediation efforts. Given the significant risks these vulnerabilities pose to enterprises, prompt action for mitigation is essential.

Original Source: Read the Full Article Here

Check out what's latest

New File Transfer Protocol Developed for Enhanced Security and Performance
New File Transfer Protocol Developed for Enhanced Security and Performance
Study Introduces Benchmark for Evaluating Cryptographic Protocols
Study Introduces Benchmark for Evaluating Cryptographic Protocols
Study Reveals Vulnerabilities of LLMs to Bit-Flip Attacks
Study Reveals Vulnerabilities of LLMs to Bit-Flip Attacks