CVE-2024-48990
📋 TL;DR
CVE-2024-48990 is a local privilege escalation vulnerability in needrestart versions before 3.8. Attackers can exploit it by manipulating the PYTHONPATH environment variable to execute arbitrary code with root privileges. This affects Linux systems where needrestart is installed and configured to run with elevated permissions.
💻 Affected Systems
- needrestart
📦 What is this software?
Needrestart by Needrestart Project
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full root access to the system, enabling complete compromise, data theft, persistence establishment, and lateral movement.
Likely Case
Privileged local users or attackers with initial foothold escalate to root to install malware, steal credentials, or pivot to other systems.
If Mitigated
With proper access controls and least privilege, impact is limited to isolated systems with no critical data exposure.
🎯 Exploit Status
Exploitation requires local access and ability to set environment variables before needrestart executes with root privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.8 and later
Vendor Advisory: https://lists.debian.org/debian-lts-announce/2024/11/msg00014.html
Restart Required: No
Instructions:
1. Update needrestart package using system package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt install needrestart. 3. For other distributions, use appropriate package manager commands.
🔧 Temporary Workarounds
Remove PYTHONPATH environment variable
linuxClear or restrict PYTHONPATH environment variable for needrestart execution
sudo systemctl edit needrestart.service
Add: Environment="PYTHONPATH="
sudo systemctl daemon-reload
Run needrestart without root privileges
linuxConfigure needrestart to run with reduced privileges where possible
Edit needrestart configuration to use non-root user where functionality allows
🧯 If You Can't Patch
- Restrict local user access to systems with needrestart installed
- Implement strict environment variable controls and monitor for suspicious PYTHONPATH modifications
🔍 How to Verify
Check if Vulnerable:
Check needrestart version: dpkg -l | grep needrestart or rpm -q needrestart. If version is below 3.8, system is vulnerable.Check Version:
dpkg -l | grep needrestart || rpm -q needrestart || needrestart --versionVerify Fix Applied:
Confirm needrestart version is 3.8 or higher after update. Test that PYTHONPATH manipulation no longer results in privilege escalation.📡 Detection & Monitoring
Log Indicators:
- Unusual PYTHONPATH environment variables in process execution logs
- needrestart execution with modified environment variables
- Unexpected root privilege escalation events
Network Indicators:
- None - this is a local attack
SIEM Query:
process.name:"needrestart" AND env.PYTHONPATH:* OR process.parent.name:"needrestart" AND process.name:"python"🔗 References
- https://github.com/liske/needrestart/commit/fcc9a4401392231bef4ef5ed026a0d7a275149ab
- https://www.cve.org/CVERecord?id=CVE-2024-48990
- https://www.qualys.com/2024/11/19/needrestart/needrestart.txt
- http://seclists.org/fulldisclosure/2024/Nov/17
- https://lists.debian.org/debian-lts-announce/2024/11/msg00014.html
- https://www.openwall.com/lists/oss-security/2024/11/19/1
