“How did I not see that?” is the refrain when something new is discovered after the fifth watching of a movie. Software security vulnerability researchers also have those moments. For over a decade, five critical vulnerabilities have existed in the needrestart Linux utility. Researchers from the Qualys Threat Research Unit (TRU) disclosed the flaws after working with the Ubuntu Security Team to ensure patches are available.
The vulnerabilities in question (identified as CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003) allow unprivileged local users to elevate their access to the root level, thus allowing full access to system operations. Although recently discovered, the vulnerabilities have been present since the introduction of interpreter (e.g., Python and Ruby) support in version 0.8, released in April 2014.
What is the needrestart Utility?
The needrestart utility provides significant services to the Linux Operating System (OS). It is designed to determine if any running services should be restarted after the installation of updates to libraries, services, or dependencies currently in use. Many updates do not become active until a reboot. This utility automatically ensures all changes take effect in an orderly and proper manner, thus maintaining system stability and security by ensuring services run up-to-date versions.
The utility is often run as a root user. The needrestart tool is available separately in various Linux distributions but is a default component in the Ubuntu Server and thus installed and configured automatically.
The Risk Profile
All software can introduce risks to the enterprise. That risk is elevated when the program in question provides security and integrity benefits, has root access, and has easily exploitable vulnerabilities, which is the case with needrestart. The five vulnerabilities discovered by the Qualys TRU allow attackers who have local access to the OS through malware or a compromised account to execute arbitrary code as root, thus allowing anyone or any service to elevate their privileges.
Saeed Abbasi, Product Manager - Threat Research Unit, Qualys, highlighted in a blog post how dangerous these vulnerabilities are. “This poses considerable risks for enterprises, including unauthorized access to sensitive data, malware installation, and disruption of business operations. It could lead to data breaches, regulatory non-compliance, and erosion of trust among customers and stakeholders, ultimately affecting the organization’s reputation.”
Qualys verified the threats these vulnerabilities posed by creating working exploits to verify the risk and to ascertain how easily these can be exploited. These exploits are not released.
Response and Mitigation
Threat mitigation for these risks is straightforward. The first step is to determine if you are running the impacted software. If you are running the impacted utility, the easiest and most effective method of remediation is to update needrestart to the 3.8 version, which contains the necessary fixes. Patches have been released by Ubuntu and Debian. If upgrading is not possible, the threat can be alleviated by modifying the needrestart configuration file to stop the use of the vulnerable interpreters.
Patching and prohibiting software from running are immediate solutions, but organizations can take other actions to create additional resilience. Administrators can establish policies to restrict and validate environment variables used by privileged processes. They can also implement mandatory access control mechanisms that can limit the permissions of processes that have root privileges. Routine security log monitoring can detect suspicious activities or potential exploit attempts.
Vulnerability Research and Responsible Vulnerability Disclosure
Vulnerability researchers are an interesting bunch. They are always on the lookout for flaws in software, both old and new, that can be exploited by cyber criminals and other bad actors. Similar to Threat Hunters, vulnerability researchers, such as the Qualys TRU, conduct “innovative research, discovery and responsible disclosure of new and critical vulnerabilities in popular software applications. The discovery of these vulnerabilities is always exceedingly difficult and results from thorough audits.”
Following discovery and verification,n researchers should engage in responsible vulnerability disclosure. The affected vendors and open-source distributors are informed to allow for the development of mitigation options, and only after those have been established will public announcement be made.
Protecting Open-Source Software
The disclosure of these vulnerabilities illustrates that open-source software has errors, just as packaged software does. However, the open-source community of developers and security teams are collaboratively sharing knowledge, tools, and fixes to address security concerns to enhance resiliency and reduce risk.
Vigilance Required
The discovery of five critical vulnerabilities that had gone undetected for a decade in an essential software utility illustrates the point that software security requires constant vigilance. All types of software, both proprietary and open source, are constantly being evaluated for new vulnerabilities. When these are found, mitigation strategies, including patching, are deployed. It is imperative that security teams take the necessary actions required to address risks exposed by software vulnerabilities, such as those recently discovered within the needrestart utility.
The system to discover and close potential vulnerabilities worked in this case. Qualys TRU uncovered the flaws, worked with the appropriate stakeholders to develop patches and additional mitigation actions, and properly notified the community. It is now up to organizations to finish the process by taking action to mitigate the threats.
