'Alarming' bugs lay low in Ubuntu Server utility for 10 years
(2024/11/21)
- Reference: 1732201385
- News link: https://www.theregister.co.uk/2024/11/21/qualys_ubuntu_server_vulnerabilities/
- Source link:
Researchers at Qualys refuse to release exploit code for five bugs in Ubuntu Server's needrestart utility that allow unprivileged attackers to gain root access without any user interaction.
The security shop's Threat Research Unit (TRU) said it was able to develop a working exploit but wouldn't release it, describing the findings as "alarming." Regardless, they said the vulnerabilities are "easily exploitable" and urged admins to apply the recommended fixes promptly.
Saeed Abbasi, product manager at Qualys's TRU, disclosed the five vulnerabilities this week for the first time in a blog, although, according to experts, they were actually introduced in April 2014.
[1]
The vulnerabilities all lie in the needrestart utility of Ubuntu Server, which, intuitively enough, is designed to determine if a restart is needed. For example, if a critical library is updated or an installation or other upgrade is made, it determines that a restart is necessary and executes it automatically.
[2]
[3]
Qualys's more detailed [4]technical notes of the vulnerabilities explain that needrestart offers security benefits by identifying outdated source files, as these may contain bugs, while ironically also being the source of a nasty series of exploits.
"This exploit is achieved by manipulating an attacker-controlled environment variable that influences the Python/Ruby interpreter, passing unsanitized data to a library that expects safe input, thereby enabling the execution of arbitrary shell commands," Abbasi [5]wrote .
[6]
Each of the five vulnerabilities are detailed below:
CVE-2024-48990 (CVSSv3: 7.8) : Relates to needrestart extracting the PYTHONPATH environment variable to determine whether a restart is needed. If a local attacker can control this variable, they can execute code as root.
CVE-2024-48991 (CVSSv3: 7.8) : Also concerning the [7]Python interpreter, the utility is vulnerable to a TOCTOU race condition, which, if exploited successfully, allows an attacker to run their own Python interpreter and execute code as root. The researchers believe it also affects the Ruby interpreter but couldn't confirm in time for the disclosure.
CVE-2024-48992 (CVSSv3: 7.8) : Essentially the same bug as CVE-2024-48990, but it instead affects the Ruby interpreter, with the confirmation made shortly before the disclosure at the last hour.
CVE-2024-10224 (CVSSv3: 5.3) : Relates to needrestart's [8]Perl interpreter, which behaves differently from the Python and Ruby equivalents, although the description notes the vulnerability technically lies in Perl's ScanDeps module, which executes the interpreter. Attackers can craft filenames in the format of the shell commands they want to execute.
CVE-2024-11003 (CVSSv3: 7.8) : Relates to CVE-2024-10224 and concerns the unsanitized input that's passed to ScanDeps that can lead to the execution of arbitrary shell commands.
[9]NIST's security flaw database still backlogged with 17K+ unprocessed bugs. Not great
[10]Nasty regreSSHion bug in OpenSSH puts roughly 700K Linux boxes at risk
[11]Seoul accuses North Korea of stealing southern chipmakers' designs
[12]So, are we going to talk about how GitHub is an absolute boon for malware, or nah?
Needrestart is installed by default and was introduced in version 0.8 more than ten years ago. All versions of the utility before 3.8 are considered vulnerable and attackers could execute code as root. Versions after 3.8 have the fix applied.
Ubuntu Server is widely used, especially for running [13]VMs , and although there are no exact figures that show how many instances are currently vulnerable, the number is likely to be in the millions.
The vulnerabilities, however, could be worse. The fact that an attacker would need local access to an [14]Ubuntu Server instance means prospective attackers would need to go through the added hoops of gaining such access through the likes of remote access software, malware, or valid credentials.
"An attacker exploiting these vulnerabilities could gain root access, compromising system integrity and security," Abbasi added.
[15]
"This poses considerable risks for enterprises, including unauthorized access to sensitive data, malware installation, and disruption of business operations. It could lead to data breaches, regulatory non-compliance, and erosion of trust among customers and stakeholders, ultimately affecting the organization's reputation. Enterprises should swiftly mitigate this risk by updating the software or disabling the vulnerable feature."
Upgrading to version 3.8 or later of needrestart is the recommended course of action, although Qualys also said that users can modify needrestart's configuration to disable its interpreter heuristic, which mitigates the issue. ®
Get our [16]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zz9nLx54Ytz0ztFCF7WY4QAAABg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zz9nLx54Ytz0ztFCF7WY4QAAABg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zz9nLx54Ytz0ztFCF7WY4QAAABg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://www.qualys.com/2024/11/19/needrestart/needrestart.txt
[5] https://blog.qualys.com/vulnerabilities-threat-research/2024/11/19/qualys-tru-uncovers-five-local-privilege-escalation-vulnerabilities-in-needrestart
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zz9nLx54Ytz0ztFCF7WY4QAAABg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2024/11/05/python_dethrones_javascript_github/
[8] https://www.theregister.com/2021/08/13/perl_resignations/
[9] https://www.theregister.com/2024/10/02/cve_pileup_nvd_missed_deadline/
[10] https://www.theregister.com/2024/07/01/regresshion_openssh/
[11] https://www.theregister.com/2024/03/04/north_korea_hacking_chipmakers/
[12] https://www.theregister.com/2024/01/12/github_malware_popularity/
[13] https://www.theregister.com/2024/06/19/proxmox_xcp_ng_gpu_passthrough/
[14] https://www.theregister.com/2024/10/11/ubuntu_oracular_oriole_released/
[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zz9nLx54Ytz0ztFCF7WY4QAAABg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[16] https://whitepapers.theregister.com/
The security shop's Threat Research Unit (TRU) said it was able to develop a working exploit but wouldn't release it, describing the findings as "alarming." Regardless, they said the vulnerabilities are "easily exploitable" and urged admins to apply the recommended fixes promptly.
Saeed Abbasi, product manager at Qualys's TRU, disclosed the five vulnerabilities this week for the first time in a blog, although, according to experts, they were actually introduced in April 2014.
[1]
The vulnerabilities all lie in the needrestart utility of Ubuntu Server, which, intuitively enough, is designed to determine if a restart is needed. For example, if a critical library is updated or an installation or other upgrade is made, it determines that a restart is necessary and executes it automatically.
[2]
[3]
Qualys's more detailed [4]technical notes of the vulnerabilities explain that needrestart offers security benefits by identifying outdated source files, as these may contain bugs, while ironically also being the source of a nasty series of exploits.
"This exploit is achieved by manipulating an attacker-controlled environment variable that influences the Python/Ruby interpreter, passing unsanitized data to a library that expects safe input, thereby enabling the execution of arbitrary shell commands," Abbasi [5]wrote .
[6]
Each of the five vulnerabilities are detailed below:
CVE-2024-48990 (CVSSv3: 7.8) : Relates to needrestart extracting the PYTHONPATH environment variable to determine whether a restart is needed. If a local attacker can control this variable, they can execute code as root.
CVE-2024-48991 (CVSSv3: 7.8) : Also concerning the [7]Python interpreter, the utility is vulnerable to a TOCTOU race condition, which, if exploited successfully, allows an attacker to run their own Python interpreter and execute code as root. The researchers believe it also affects the Ruby interpreter but couldn't confirm in time for the disclosure.
CVE-2024-48992 (CVSSv3: 7.8) : Essentially the same bug as CVE-2024-48990, but it instead affects the Ruby interpreter, with the confirmation made shortly before the disclosure at the last hour.
CVE-2024-10224 (CVSSv3: 5.3) : Relates to needrestart's [8]Perl interpreter, which behaves differently from the Python and Ruby equivalents, although the description notes the vulnerability technically lies in Perl's ScanDeps module, which executes the interpreter. Attackers can craft filenames in the format of the shell commands they want to execute.
CVE-2024-11003 (CVSSv3: 7.8) : Relates to CVE-2024-10224 and concerns the unsanitized input that's passed to ScanDeps that can lead to the execution of arbitrary shell commands.
[9]NIST's security flaw database still backlogged with 17K+ unprocessed bugs. Not great
[10]Nasty regreSSHion bug in OpenSSH puts roughly 700K Linux boxes at risk
[11]Seoul accuses North Korea of stealing southern chipmakers' designs
[12]So, are we going to talk about how GitHub is an absolute boon for malware, or nah?
Needrestart is installed by default and was introduced in version 0.8 more than ten years ago. All versions of the utility before 3.8 are considered vulnerable and attackers could execute code as root. Versions after 3.8 have the fix applied.
Ubuntu Server is widely used, especially for running [13]VMs , and although there are no exact figures that show how many instances are currently vulnerable, the number is likely to be in the millions.
The vulnerabilities, however, could be worse. The fact that an attacker would need local access to an [14]Ubuntu Server instance means prospective attackers would need to go through the added hoops of gaining such access through the likes of remote access software, malware, or valid credentials.
"An attacker exploiting these vulnerabilities could gain root access, compromising system integrity and security," Abbasi added.
[15]
"This poses considerable risks for enterprises, including unauthorized access to sensitive data, malware installation, and disruption of business operations. It could lead to data breaches, regulatory non-compliance, and erosion of trust among customers and stakeholders, ultimately affecting the organization's reputation. Enterprises should swiftly mitigate this risk by updating the software or disabling the vulnerable feature."
Upgrading to version 3.8 or later of needrestart is the recommended course of action, although Qualys also said that users can modify needrestart's configuration to disable its interpreter heuristic, which mitigates the issue. ®
Get our [16]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zz9nLx54Ytz0ztFCF7WY4QAAABg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zz9nLx54Ytz0ztFCF7WY4QAAABg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zz9nLx54Ytz0ztFCF7WY4QAAABg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://www.qualys.com/2024/11/19/needrestart/needrestart.txt
[5] https://blog.qualys.com/vulnerabilities-threat-research/2024/11/19/qualys-tru-uncovers-five-local-privilege-escalation-vulnerabilities-in-needrestart
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zz9nLx54Ytz0ztFCF7WY4QAAABg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2024/11/05/python_dethrones_javascript_github/
[8] https://www.theregister.com/2021/08/13/perl_resignations/
[9] https://www.theregister.com/2024/10/02/cve_pileup_nvd_missed_deadline/
[10] https://www.theregister.com/2024/07/01/regresshion_openssh/
[11] https://www.theregister.com/2024/03/04/north_korea_hacking_chipmakers/
[12] https://www.theregister.com/2024/01/12/github_malware_popularity/
[13] https://www.theregister.com/2024/06/19/proxmox_xcp_ng_gpu_passthrough/
[14] https://www.theregister.com/2024/10/11/ubuntu_oracular_oriole_released/
[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zz9nLx54Ytz0ztFCF7WY4QAAABg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[16] https://whitepapers.theregister.com/
General Linux utility
Anonymous Coward
Why is this presented as a 'Ubuntu Server utility'? It's availaible on most distros and not just for servers either.
Re: General Linux utility
Henry 8
The Qualys post everyone is linking to says "The Qualys Threat Research Unit (TRU) has identified five Local Privilege Escalation (LPE) vulnerabilities within the needrestart component, which is installed by default on Ubuntu Server. " which seems to have been widely misinterpreted (in every report I've seen on this issue) as "this is a bug in Ubuntu Server"
I suppose that, as is usual with Linux utilities needrestart can be updated without needing a restart.