SB2024112721 - Multiple privilege escalation vulnerabilities in needrestart
Published: November 27, 2024 Updated: January 4, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Code Injection (CVE-ID: CVE-2024-48990)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insecure handling of environment variables. A local user can trick the application into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable and execute arbitrary code on the system as root.
2) Race condition (CVE-ID: CVE-2024-48991)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a race condition. A local user can force the application into running a malicious Python interpreter instead the system one and execute arbitrary code as root.
3) Code Injection (CVE-ID: CVE-2024-48992)
The vulnerability allows a local user to escalate privileges on the system.
4) OS Command Injection (CVE-ID: CVE-2024-11003)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to the application passes unsanitized data to a library (Modules::ScanDeps) which expects safe input. A local user can execute arbitrary OS commands as root.
Note, the vulnerability is related to #VU100773 (CVE-2024-10224).
Remediation
Install update from vendor's website.
References
- https://github.com/liske/needrestart/commit/fcc9a4401392231bef4ef5ed026a0d7a275149ab
- https://www.qualys.com/2024/11/19/needrestart/needrestart.txt
- https://github.com/liske/needrestart/commit/42af5d328901287a4f79d1f5861ac827a53fd56d
- https://github.com/liske/needrestart/commit/6ce6136cccc307c6b8a0f8cae12f9a22ac2aad59
- https://github.com/liske/needrestart/commit/b5f25f6ec6e7dd0c5be249e4e45de4ee9ffe594f
- https://github.com/liske/needrestart/commit/0f80a348883f72279a859ee655f58da34babefb0