CVE-2024-48991

Published Nov 19, 2024

Last updated 6 months ago

CVSS high 7.8
Ubuntu

Overview

Description
Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by winning a race condition and tricking needrestart into running their own, fake Python interpreter (instead of the system's real Python interpreter). The initial security fix (6ce6136) introduced a regression which was subsequently resolved (42af5d3).
Source
security@ubuntu.com
NVD status
Modified
Products
needrestart

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.8
Impact score
5.9
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-362

Social media

Hype score
Not currently trending

  1. Ubuntuのneedrestartに脆弱性(CVE-2024-48990、CVE-2024-48991、CVE-2024-48992、CVE-2024-10224、CVE-2024-11003) https://t.co/jdRGYKBJWD

    @01Programing

    25 Nov 2024

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Ubuntuのneedrestartに脆弱性(CVE-2024-48990、CVE-2024-48991、CVE-2024-48992、CVE-2024-10224、CVE-2024-11003)|セキュリティニュース https://t.co/Cm1CuKHnqf

    @01ra66it

    25 Nov 2024

    233 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Canonical’s security team has released updates for the needrestart and libmodule-scandeps-perl packages for all Ubuntu releases. The updates remediate CVE-2024-10224, CVE-2024-11003, CVE-2024-48990, CVE-2024-48991 and CVE-2024-48992. Learn more on the blog https://t.co/vjtSFyCpCK

    @ubuntu

    21 Nov 2024

    6943 Impressions

    15 Retweets

    74 Likes

    6 Bookmarks

    0 Replies

    1 Quote

  4. Great catch(es) with CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003 by @qualys in “needrestart” v0.8 in Ubuntu Linux 21.04. Needrestart v3.8 patches all five. Released yesterday. Full text of the Qualys advisory at https://t.co/Jl3HFVKjQw

    @Sujeet

    20 Nov 2024

    93 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 5 Privilege Escalation Flaws Found in #Ubuntu's Default Utility, #needrestart CVEs CVE-2024-48990, CVE-2024-48991, CVE-2024-48992 These flaws can be exploited by any unprivileged user to gain full root access without requiring user interaction https://t.co/OcI2NlXn53

    @the_yellow_fall

    20 Nov 2024

    766 Impressions

    9 Retweets

    21 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2024-48991 Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by winning a race condition and tricking needrestart … https://t.co/NohV1Pupaz

    @CVEnew

    20 Nov 2024

    196 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Was going to let that just be a tweet but it turned into a full blown blogpost - Servers NeedRestart - The Problem with CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003 https://t.co/TBrlK4XeBb

    @nanovms

    20 Nov 2024

    189 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. CVE-2024-48990 CVE-2024-48991 CVE-2024-48992 CVE-2024-10224 and CVE-2024-11003 - all probably affecting your ubuntu servers - this is a perfect example of why you should be using unikernels - WTF would you allow some perl to run as root if you yourself don't code in perl? https:

    @nanovms

    19 Nov 2024

    293 Impressions

    0 Retweets

    6 Likes

    0 Bookmarks

    0 Replies

    1 Quote

Configurations

Related CVEs

  1. PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5. A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`: 1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING. 2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags. 3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.CVE-2026-41651
  2. A flaw was found in gnutls. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted ClientHello message with an invalid Pre-Shared Key (PSK) binder value during the TLS handshake. This can lead to a NULL pointer dereference, causing the server to crash and resulting in a remote Denial of Service (DoS) condition.CVE-2026-1584
  3. In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.CVE-2026-35535
  4. In the Linux kernel, the following vulnerability has been resolved: apparmor: fix race on rawdata dereference There is a race condition that leads to a use-after-free situation: because the rawdata inodes are not refcounted, an attacker can start open()ing one of the rawdata files, and at the same time remove the last reference to this rawdata (by removing the corresponding profile, for example), which frees its struct aa_loaddata; as a result, when seq_rawdata_open() is reached, i_private is a dangling pointer and freed memory is accessed. The rawdata inodes weren't refcounted to avoid a circular refcount and were supposed to be held by the profile rawdata reference. However during profile removal there is a window where the vfs and profile destruction race, resulting in the use after free. Fix this by moving to a double refcount scheme. Where the profile refcount on rawdata is used to break the circular dependency. Allowing for freeing of the rawdata once all inode references to the rawdata are put.CVE-2026-23410
  5. In the Linux kernel, the following vulnerability has been resolved: apparmor: fix race between freeing data and fs accessing it AppArmor was putting the reference to i_private data on its end after removing the original entry from the file system. However the inode can aand does live beyond that point and it is possible that some of the fs call back functions will be invoked after the reference has been put, which results in a race between freeing the data and accessing it through the fs. While the rawdata/loaddata is the most likely candidate to fail the race, as it has the fewest references. If properly crafted it might be possible to trigger a race for the other types stored in i_private. Fix this by moving the put of i_private referenced data to the correct place which is during inode eviction.CVE-2026-23411

References

Sources include official advisories and independent security research.