CVE-2024-48990: Local Privilege Escalation in needrestart through Arbitrary Code Execution as Root
> TL;DR:
> needrestart, a utility for identifying and restarting services that are using outdated libraries, has a critical vulnerability that allows local attackers to execute arbitrary code as root using manipulated PYTHONPATH environment variable affecting all versions prior to 3.8. It's highly recommended to update to version 3.8 to remediate the vulnerability. Read on for the full details.
Introduction
Qualys researchers have recently discovered a critical vulnerability in needrestart, a popular utility that checks which daemons need to be restarted after library upgrades. The vulnerability identified as CVE-2024-48990 allows local attackers to execute arbitrary code with root privileges. This article will dive deeper into the vulnerability details, explore an example exploit, and provide guidance on mitigating this security risk.
Vulnerability Details
The vulnerability CVE-2024-48990 affects all versions of needrestart before 3.8. It occurs due to an insecure use of the PYTHONPATH environment variable in the program, which allows a local attacker to specify a custom path for importing Python libraries. By crafting a malicious library and setting the PYTHONPATH variable to point to it, the attacker can trick needrestart into running the Python interpreter with an attacker-controlled environment. This would result in arbitrary code execution with root privileges, as needrestart typically runs with elevated privileges.
`
mkdir /tmp/evil_lib
echo 'print("Evil code executed!")' > /tmp/evil_lib/evil_module.py
`
export PYTHONPATH=/tmp/evil_lib
`
3. Finally, when needrestart is run with the manipulated PYTHONPATH, it would import our malicious library and execute the code from the evil_module.py file:
`
This is just a simple example, but it demonstrates how an attacker can execute arbitrary code as root using the insecure handling of the PYTHONPATH environment variable in needrestart.
Mitigation and Remediation
To mitigate the risk of this vulnerability, it's necessary to update needrestart to version 3.8 or later, as the developers have addressed the issue in this release. The update can be performed using your system's package manager, such as apt on Debian-based systems:
sudo apt-get update && sudo apt-get install needrestart
For other systems, refer to the official needrestart repository for instructions on how to download and install the latest version of the tool:
Conclusion
This vulnerability in needrestart is just another example of how important it is to keep your software up-to-date and review the code bases for potential security issues. Through the use of manipulated environment variables like PYTHONPATH, local attackers can potentially gain root access and control over a system. To defend against this type of attack, update needrestart to the latest version and always be vigilant about the software and libraries you use.
For more information on the CVE-2024-48990 vulnerability and its fix, refer to the original Qualys disclosure:
Timeline
Published on: 11/19/2024 18:15:21 UTC
Last modified on: 12/03/2024 14:15:20 UTC