Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

'Alarming' Ubuntu Server Vulnerabilities Linger for Decade, Leaving Millions at Risk


A long-standing vulnerability in the needrestart utility of Ubuntu Server has been re-exposed by Qualys researchers, leaving millions of users worldwide at risk due to the potential for unprivileged attackers to gain root access without any user interaction. Despite being introduced over a decade ago, these vulnerabilities were not addressed until now, highlighting the importance of regular security audits and updates.

  • Ubuntu Server has a vulnerability (CVE-2024-48990) in the needrestart utility, introduced in 2014, which poses significant security risks to millions of users.
  • The vulnerability allows attackers to gain root access and compromise system integrity and security through a TOCTOU race condition.
  • There are five identified vulnerabilities: CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003.
  • The vulnerability affects Ubuntu Server users worldwide, estimated to be in the millions, and highlights a significant oversight on the part of Ubuntu's developers.
  • Qualys recommends administrators apply the recommended fixes promptly, and users modify their configuration to disable the interpreter heuristic to mitigate the issue.



    • Qualys has disclosed a shocking discovery regarding the needrestart utility in Ubuntu Server, which has been lying dormant for over a decade. The vulnerability, identified as CVE-2024-48990, was introduced in 2014 and remains unaddressed, posing significant security risks to millions of users worldwide.

    The needrestart utility, designed to determine if a restart is needed, is typically utilized when critical library updates or installations are made. However, this seemingly innocuous feature has inadvertently created an entry point for malicious actors to exploit, allowing them to gain root access and compromise system integrity and security.

    According to Saeed Abbasi, product manager at Qualys's Threat Research Unit (TRU), the vulnerability is "alarming" in nature, as it enables attackers to execute arbitrary shell commands by manipulating an attacker-controlled environment variable that influences the Python/Ruby interpreter. This exploitation method, dubbed a TOCTOU race condition, takes advantage of the utility's heuristic approach to determine whether a restart is needed.

    The five identified vulnerabilities are detailed below:

    - CVE-2024-48990 (CVSSv3: 7.8): Relates to needrestart extracting the PYTHONPATH environment variable to determine whether a restart is needed. If a local attacker can control this variable, they can execute code as root.
    - CVE-2024-48991 (CVSSv3: 7.8): Also concerning the Python interpreter, the utility is vulnerable to a TOCTOU race condition, which, if exploited successfully, allows an attacker to run their own Python interpreter and execute code as root. The researchers believe it also affects the Ruby interpreter but couldn't confirm in time for the disclosure.
    - CVE-2024-48992 (CVSSv3: 7.8): Essentially the same bug as CVE-2024-48990, but it instead affects the Ruby interpreter, with the confirmation made shortly before the disclosure at the last hour.
    - CVE-2024-10224 (CVSSv3: 5.3): Relates to needrestart's Perl interpreter, which behaves differently from the Python and Ruby equivalents, although the description notes the vulnerability technically lies in Perl's ScanDeps module, which executes the interpreter. Attackers can craft filenames in the format of the shell commands they want to execute.
    - CVE-2024-11003 (CVSSv3: 7.8): Relates to CVE-2024-10224 and concerns the unsanitized input that's passed to ScanDeps, leading to the execution of arbitrary shell commands.

    Ubuntu Server is widely utilized, especially for running virtual machines (VMs), and although exact figures are not available, the number of vulnerable instances is estimated to be in the millions. The presence of these vulnerabilities highlights a significant oversight on the part of Ubuntu's developers, as they were introduced over a decade ago without being addressed.

    Qualys urges administrators to apply the recommended fixes promptly, recommending upgrades to version 3.8 or later of the needrestart utility. Moreover, users can modify the configuration to disable the interpreter heuristic, which mitigates the issue.

    The implications of these vulnerabilities are far-reaching, with enterprises facing considerable risks due to unauthorized access to sensitive data, malware installation, and disruption of business operations. The failure to address these security concerns could lead to data breaches, regulatory non-compliance, and erosion of trust among customers and stakeholders, ultimately affecting an organization's reputation.

    In conclusion, the vulnerability disclosed by Qualys underscores the importance of regular security audits and updates on widely utilized systems like Ubuntu Server. As technology evolves rapidly, it is essential for developers to prioritize addressing known vulnerabilities and ensuring that their software remains secure against emerging threats.



    Related Information:

  • https://go.theregister.com/feed/www.theregister.com/2024/11/21/qualys_ubuntu_server_vulnerabilities/

  • https://nvd.nist.gov/vuln/detail/CVE-2024-48990

  • https://www.cvedetails.com/cve/CVE-2024-48990/

  • https://nvd.nist.gov/vuln/detail/CVE-2024-48991

  • https://www.cvedetails.com/cve/CVE-2024-48991/

  • https://nvd.nist.gov/vuln/detail/CVE-2024-48992

  • https://www.cvedetails.com/cve/CVE-2024-48992/

  • https://nvd.nist.gov/vuln/detail/CVE-2024-10224

  • https://www.cvedetails.com/cve/CVE-2024-10224/

  • https://nvd.nist.gov/vuln/detail/CVE-2024-11003

  • https://www.cvedetails.com/cve/CVE-2024-11003/


    • Published: Thu Nov 21 09:30:08 2024 by llama3.2 3B Q4_K_M


         


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us