# CVE-2024-48990: Needrestart Local Privilege Escalation on Linux ## Overview A new Linux vulnerability identified as **CVE-2024-48990** affects the widely used `needrestart` utility. This tool checks which daemons require restarting after a system update. Unfortunately, due to improper input validation in its Perl-based logic, local attackers can escalate privileges on systems using needrestart versions prior to 3.6.0. The vulnerability was responsibly disclosed by Qualys and publicly discussed in their security advisory on [qualys.com](https://www.qualys.com/2024/11/19/needrestart/needrestart.txt). A fully functional Proof-of-Concept (PoC) exploit has also been released at [makuga01/CVE-2024-48990-PoC](https://github.com/makuga01/CVE-2024-48990-PoC), demonstrating real-world exploitation potential. --- ## Affected Component - **Component**: `needrestart` - **Language**: Perl - **Affected Versions**: < 3.6.0 - **Fixed Version**: 3.6.0 --- ## Root Cause Analysis The issue lies in how `needrestart` executes a check on the current process list (`/proc/*/exe`) to determine which services must be restarted. Specifically, the Perl code does the following: ```perl readlink("/proc/$pid/exe") ``` However, `needrestart` does **not sanitize** the path returned by `readlink`, which can be manipulated using symbolic links or crafted `/proc` entries. If an attacker can create a symbolic link for a malicious file (e.g., named like a systemd or SSH daemon binary), `needrestart` may interpret it as a legitimate system process and **execute arbitrary code or commands** as root during its automatic service check. --- ## Exploitation Process The proof-of-concept by `makuga01` demonstrates a **local privilege escalation** scenario using the following steps: 1. **Create a malicious executable**: The attacker crafts a fake binary (e.g., `malicious_sshd`) that opens a root shell or spawns a backdoor. 2. **Link it to a fake process entry**: The attacker sets up a fake `/proc/[pid]/exe` structure using `bind` mounts or overlay filesystems, pointing to their malicious binary. 3. **Trigger `needrestart`**: When a system update occurs (or when a user runs `needrestart` manually or via a cronjob), the tool checks processes and executes or evaluates the fake path unsafely. 4. **Code Execution as root**: The unsanitized input leads to code execution under root privileges, escalating the attacker’s local access. --- ## Proof-of-Concept Walkthrough The GitHub repository [`makuga01/CVE-2024-48990-PoC`](https://github.com/makuga01/CVE-2024-48990-PoC) outlines the PoC steps in detail. ### PoC Breakdown: - **Environment**: Debian-based Linux (but potentially affects all Linux systems with needrestart < 3.6.0) - **Exploit Components**: - `exploit.sh`: Shell script that sets up the malicious environment. - Fake `exe` paths via mount tricks. - Payload: A simple `setuid` binary or shell that grants root access. --- ## Mitigation **If you're running a vulnerable version of needrestart, upgrade to version 3.6.0 immediately.** ### Additional Recommendations: - Disable automatic `needrestart` invocation if not required. - Use AppArmor or SELinux to restrict execution paths. - Monitor for suspicious symbolic links or binaries resembling daemons (e.g., `sshd`, `systemd`, etc.). --- ## Detection Blue teams and SOC analysts can check for exploitation attempts by: - Auditing `/proc/*/exe` paths for inconsistencies. - Monitoring `needrestart` logs for abnormal entries or non-standard binaries. - Using `auditd` to watch bind mounts or symlink creation under `/proc`. --- ## Timeline - **Discovery**: Prior to November 2024 by Qualys Research Team. - **Public Disclosure**: November 19, 2024. - **PoC Released**: May 2025 by makuga01. --- ## References - 🔗 Official Advisory by Qualys: [https://www.qualys.com/2024/11/19/needrestart/needrestart.txt](https://www.qualys.com/2024/11/19/needrestart/needrestart.txt) - 💣 Exploit PoC Repository: [https://github.com/makuga01/CVE-2024-48990-PoC](https://github.com/makuga01/CVE-2024-48990-PoC) - 🛠 Fixed Version on Debian: `needrestart_3.6-0` --- ## Conclusion CVE-2024-48990 is a **high-impact local privilege escalation vulnerability** in the Linux `needrestart` utility, widely deployed on production systems. Its exploitation is straightforward, especially in unmonitored or automation-heavy environments. The existence of a public PoC and the nature of the flaw make it critical for system administrators to patch immediately and review their update pipelines for similar post-update hooks or tools. ```diff + PATCH NOW IF YOU USE NEEDRESTART < 3.6.0 ``` --- ## Tags `#CVE2024 #LinuxLPE #Needrestart #PrivilegeEscalation #Exploit #PoC #Debian #Perl #BindMountAbuse #QualysDisclosure`

Support Crack-Vault and help us keep providing free tools. Every donation counts! (BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn

CVE-2024-48990: Needrestart Local Privilege Escalation on Linux

NikolasHume

CVE-2024-48990: Needrestart Local Privilege Escalation on Linux

Overview

A new Linux vulnerability identified as CVE-2024-48990 affects the widely used needrestart utility. This tool checks which daemons require restarting after a system update. Unfortunately, due to improper input validation in its Perl-based logic, local attackers can escalate privileges on systems using needrestart versions prior to 3.6.0.

The vulnerability was responsibly disclosed by Qualys and publicly discussed in their security advisory on qualys.com. A fully functional Proof-of-Concept (PoC) exploit has also been released at makuga01/CVE-2024-48990-PoC, demonstrating real-world exploitation potential.

Affected Component

Component: needrestart
Language: Perl
Affected Versions: < 3.6.0
Fixed Version: 3.6.0

Root Cause Analysis

The issue lies in how needrestart executes a check on the current process list (/proc/*/exe) to determine which services must be restarted.

Specifically, the Perl code does the following:

readlink("/proc/$pid/exe")

However, needrestart does not sanitize the path returned by readlink, which can be manipulated using symbolic links or crafted /proc entries.

If an attacker can create a symbolic link for a malicious file (e.g., named like a systemd or SSH daemon binary), needrestart may interpret it as a legitimate system process and execute arbitrary code or commands as root during its automatic service check.

Exploitation Process

The proof-of-concept by makuga01 demonstrates a local privilege escalation scenario using the following steps:

Create a malicious executable:
The attacker crafts a fake binary (e.g., malicious_sshd) that opens a root shell or spawns a backdoor.
Link it to a fake process entry:
The attacker sets up a fake /proc/[pid]/exe structure using bind mounts or overlay filesystems, pointing to their malicious binary.
Trigger needrestart:
When a system update occurs (or when a user runs needrestart manually or via a cronjob), the tool checks processes and executes or evaluates the fake path unsafely.
Code Execution as root:
The unsanitized input leads to code execution under root privileges, escalating the attacker’s local access.

Proof-of-Concept Walkthrough

The GitHub repository makuga01/CVE-2024-48990-PoC outlines the PoC steps in detail.

PoC Breakdown:

Environment: Debian-based Linux (but potentially affects all Linux systems with needrestart < 3.6.0)
Exploit Components:
- exploit.sh: Shell script that sets up the malicious environment.
- Fake exe paths via mount tricks.
- Payload: A simple setuid binary or shell that grants root access.

Mitigation

If you're running a vulnerable version of needrestart, upgrade to version 3.6.0 immediately.

Additional Recommendations:

Disable automatic needrestart invocation if not required.
Use AppArmor or SELinux to restrict execution paths.
Monitor for suspicious symbolic links or binaries resembling daemons (e.g., sshd, systemd, etc.).

Detection

Blue teams and SOC analysts can check for exploitation attempts by:

Auditing /proc/*/exe paths for inconsistencies.
Monitoring needrestart logs for abnormal entries or non-standard binaries.
Using auditd to watch bind mounts or symlink creation under /proc.

Timeline

Discovery: Prior to November 2024 by Qualys Research Team.
Public Disclosure: November 19, 2024.
PoC Released: May 2025 by makuga01.

References

🔗 Official Advisory by Qualys: https://www.qualys.com/2024/11/19/needrestart/needrestart.txt
💣 Exploit PoC Repository: https://github.com/makuga01/CVE-2024-48990-PoC
🛠 Fixed Version on Debian: needrestart_3.6-0

Conclusion

CVE-2024-48990 is a high-impact local privilege escalation vulnerability in the Linux needrestart utility, widely deployed on production systems. Its exploitation is straightforward, especially in unmonitored or automation-heavy environments. The existence of a public PoC and the nature of the flaw make it critical for system administrators to patch immediately and review their update pipelines for similar post-update hooks or tools.

+ PATCH NOW IF YOU USE NEEDRESTART < 3.6.0

Download Now—Top Software, No Cost!