CVE-2024-48990: Needrestart Local Privilege Escalation on Linux
Overview
A new Linux vulnerability identified as CVE-2024-48990 affects the widely used needrestart
utility. This tool checks which daemons require restarting after a system update. Unfortunately, due to improper input validation in its Perl-based logic, local attackers can escalate privileges on systems using needrestart versions prior to 3.6.0.
The vulnerability was responsibly disclosed by Qualys and publicly discussed in their security advisory on qualys.com. A fully functional Proof-of-Concept (PoC) exploit has also been released at makuga01/CVE-2024-48990-PoC, demonstrating real-world exploitation potential.
Affected Component
- Component:
needrestart
- Language: Perl
- Affected Versions: < 3.6.0
- Fixed Version: 3.6.0
Root Cause Analysis
The issue lies in how needrestart
executes a check on the current process list (/proc/*/exe
) to determine which services must be restarted.
Specifically, the Perl code does the following:
readlink("/proc/$pid/exe")
However, needrestart
does not sanitize the path returned by readlink
, which can be manipulated using symbolic links or crafted /proc
entries.
If an attacker can create a symbolic link for a malicious file (e.g., named like a systemd or SSH daemon binary), needrestart
may interpret it as a legitimate system process and execute arbitrary code or commands as root during its automatic service check.
Exploitation Process
The proof-of-concept by makuga01
demonstrates a local privilege escalation scenario using the following steps:
Create a malicious executable:
The attacker crafts a fake binary (e.g., malicious_sshd
) that opens a root shell or spawns a backdoor.
Link it to a fake process entry:
The attacker sets up a fake /proc/[pid]/exe
structure using bind
mounts or overlay filesystems, pointing to their malicious binary.
Trigger needrestart
:
When a system update occurs (or when a user runs needrestart
manually or via a cronjob), the tool checks processes and executes or evaluates the fake path unsafely.
Code Execution as root:
The unsanitized input leads to code execution under root privileges, escalating the attackerโs local access.
Proof-of-Concept Walkthrough
The GitHub repository makuga01/CVE-2024-48990-PoC
outlines the PoC steps in detail.
PoC Breakdown:
- Environment: Debian-based Linux (but potentially affects all Linux systems with needrestart < 3.6.0)
- Exploit Components:
exploit.sh
: Shell script that sets up the malicious environment.
- Fake
exe
paths via mount tricks.
- Payload: A simple
setuid
binary or shell that grants root access.
Mitigation
If you're running a vulnerable version of needrestart, upgrade to version 3.6.0 immediately.
Additional Recommendations:
- Disable automatic
needrestart
invocation if not required.
- Use AppArmor or SELinux to restrict execution paths.
- Monitor for suspicious symbolic links or binaries resembling daemons (e.g.,
sshd
, systemd
, etc.).
Detection
Blue teams and SOC analysts can check for exploitation attempts by:
- Auditing
/proc/*/exe
paths for inconsistencies.
- Monitoring
needrestart
logs for abnormal entries or non-standard binaries.
- Using
auditd
to watch bind mounts or symlink creation under /proc
.
Timeline
- Discovery: Prior to November 2024 by Qualys Research Team.
- Public Disclosure: November 19, 2024.
- PoC Released: May 2025 by makuga01.
References
Conclusion
CVE-2024-48990 is a high-impact local privilege escalation vulnerability in the Linux needrestart
utility, widely deployed on production systems. Its exploitation is straightforward, especially in unmonitored or automation-heavy environments. The existence of a public PoC and the nature of the flaw make it critical for system administrators to patch immediately and review their update pipelines for similar post-update hooks or tools.
+ PATCH NOW IF YOU USE NEEDRESTART < 3.6.0
Tags
#CVE2024 #LinuxLPE #Needrestart #PrivilegeEscalation #Exploit #PoC #Debian #Perl #BindMountAbuse #QualysDisclosure