Back to Home

CVE-2024-48990: LPE in Needrestart Linux

CVE-2024-48990 vulnerability in Needrestart allows LPE via PYTHONPATH manipulation. Mechanism analysis, PoC exploitation and patching for Ubuntu, Debian. Server protection recommendations.

LPE via Needrestart: CVE-2024-48990 in detail
Advertisement 728x90

# Privilege Escalation in Linux via Needrestart Vulnerability CVE-2024-48990

Vulnerability CVE-2024-48990 allows local privilege escalation (LPE) in the Needrestart utility versions up to 3.8. The issue lies in the handling of the PYTHONPATH environment variable, enabling execution of arbitrary code with root privileges. Affects Ubuntu 21.04 and later, Debian, Fedora, and other Linux distributions. CVSS score: 7.8.

Needrestart scans processes after library updates and restarts vulnerable services. The attack exploits inadequate controls on module loading paths for Python, Perl, and Ruby by substituting them with malicious ones.

Checking the System for Vulnerability

Run this command to check the version:

Google AdInline article slot
needrestart --version | grep -q "3.7" && echo "Definitely vulnerable" || echo "Version is potentially not vulnerable, this simply checks for 3.7"

Versions below 3.8 are vulnerable. The utility runs automatically during package installation via apt, creating an exploitation window.

Step-by-Step Exploitation

For demonstration, use the public PoC. Clone the repository and run the script as a regular user:

cd CVE-2024-48990-PoC-Testing
./runner.sh

The script sets PYTHONPATH to a malicious module. Then, as root or via sudo, perform an action that triggers Needrestart, such as:

Google AdInline article slot
sudo apt remove ntp; sudo apt install ntp

This leads to code execution with root privileges, opening a reverse shell or direct access.

Technical Attack Details

The vulnerability occurs during PYTHONPATH parsing: Needrestart fails to validate paths, allowing injection of a module loaded with elevated privileges. The same applies to PERL5LIB and RUBYLIB.

  • Attacker sets PYTHONPATH=/path/to/malicious.
  • Needrestart imports the module from the specified path during scanning.
  • Payload executes with root privileges.

Requires local access and Needrestart invocation by another user (sudo).

Google AdInline article slot

Protection Measures and Patching

  • Update to Needrestart 3.8 or later: vulnerability fixed with enhanced environment variable validation.
  • Disable interpreter scanning in /etc/needrestart/needrestart.conf:

```

$nrconf{interpscan} = 0;

```

  • Monitor environment variables using auditd or falco.
  • Use AppArmor or SELinux to restrict Needrestart.

Key Points

  • CVE-2024-48990 is exploited via PYTHONPATH without initial root access.
  • Affects Ubuntu 21.04+ servers, Debian, Fedora with Needrestart enabled by default.
  • Patch in version 3.8: full module path validation.
  • Recommended: disable interpscan to minimize risks.
  • Test updates in an isolated environment before deployment.

— Editorial Team

Advertisement 728x90

Read Next