CVE-2024-11003 – CVE-2024-11003 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2024-11003?

CVE-2024-11003 has a CVSS score of 7.8 (HIGH). CVE-2024-11003 is a command injection vulnerability in needrestart (versions before 3.8) where unsanitized data is passed to the Modules::ScanDeps library. This allows local attackers to execute arbitrary shell commands on affected systems. Systems running needrestart versions below 3.8 are vulnerable.

📋 TL;DR

CVE-2024-11003 is a command injection vulnerability in needrestart (versions before 3.8) where unsanitized data is passed to the Modules::ScanDeps library. This allows local attackers to execute arbitrary shell commands on affected systems. Systems running needrestart versions below 3.8 are vulnerable.

💻 Affected Systems

Products:

needrestart

Versions: All versions before 3.8

Operating Systems: Linux distributions that package needrestart (Debian, Ubuntu, etc.)

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default installations. Related to CVE-2024-10224 in Modules::ScanDeps library.

📦 What is this software?

Needrestart by Needrestart Project

View all CVEs affecting Needrestart →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to root, complete system compromise, installation of persistent backdoors, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Local user gains elevated privileges, modifies system configurations, accesses sensitive data, or installs malware.

🟢

If Mitigated

Attack limited to user's own privileges if proper privilege separation exists, but still allows execution within user context.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring shell access to the system.

🏢 Internal Only: HIGH - Any user with local access (including compromised accounts) can exploit this to escalate privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires local access. Proof of concept available in Qualys advisory and related disclosures.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.8

Vendor Advisory: https://github.com/liske/needrestart/commit/0f80a348883f72279a859ee655f58da34babefb0

Restart Required: No

Instructions:

1. Update needrestart to version 3.8 or later using your package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt install needrestart. 3. For other distributions, use appropriate package manager commands.

🔧 Temporary Workarounds

Remove needrestart

linux

Uninstall needrestart if not required for system functionality

sudo apt remove needrestart
sudo yum remove needrestart

Restrict needrestart execution

linux

Remove execute permissions or restrict via SELinux/AppArmor

sudo chmod -x /usr/sbin/needrestart

🧯 If You Can't Patch

Implement strict access controls to limit local user accounts
Monitor for suspicious process execution and privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check needrestart version: needrestart --version or dpkg -l | grep needrestart

Check Version:

needrestart --version 2>/dev/null || dpkg -l needrestart 2>/dev/null || rpm -q needrestart 2>/dev/null

Verify Fix Applied:

Confirm version is 3.8 or higher: needrestart --version | grep -q '3\.8\|^[4-9]\|^[1-9][0-9]' && echo 'Patched'

📡 Detection & Monitoring

Log Indicators:

Unusual needrestart process execution patterns
Suspicious command execution following needrestart runs
Privilege escalation attempts in system logs

Network Indicators:

Outbound connections from needrestart process
Unexpected network activity from system users

SIEM Query:

process_name:"needrestart" AND (command_line:"*sh*" OR command_line:"*bash*" OR command_line:"*sudo*")

📊 Metadata

CVE ID: CVE-2024-11003

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: November 19, 2024

Last Updated: November 3, 2025

🔗 References

https://github.com/liske/needrestart/commit/0f80a348883f72279a859ee655f58da34babefb0 Patch
https://www.cve.org/CVERecord?id=CVE-2024-10224 VDB Entry
https://www.cve.org/CVERecord?id=CVE-2024-11003 VDB Entry
https://www.qualys.com/2024/11/19/needrestart/needrestart.txt Third Party Advisory
http://seclists.org/fulldisclosure/2024/Nov/17
https://lists.debian.org/debian-lts-announce/2024/11/msg00014.html
https://www.openwall.com/lists/oss-security/2024/11/19/1 Mailing List

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11003, you might also want to check these: