CVE-2024-48990 Overview
CVE-2024-48990 is a local privilege escalation vulnerability discovered by Qualys in the needrestart utility, a tool commonly used on Debian-based Linux systems to detect services that need to be restarted after library upgrades. The vulnerability exists in versions prior to 3.8 and allows local attackers to execute arbitrary code as root by manipulating the PYTHONPATH environment variable to trick needrestart into running the Python interpreter with an attacker-controlled path.
Critical Impact
Local attackers can achieve root-level code execution on vulnerable systems by exploiting needrestart's insecure handling of the PYTHONPATH environment variable, potentially leading to complete system compromise.
Affected Products
- needrestart versions prior to 3.8
- Debian-based Linux distributions using vulnerable needrestart packages
- Ubuntu and derivative distributions with needrestart installed
Discovery Timeline
- 2024-11-19 - CVE-2024-48990 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-48990
Vulnerability Analysis
The vulnerability resides in needrestart's Python interpreter detection module (NeedRestart/Interp/Python.pm). When needrestart scans running processes to determine which services need restarting, it reads environment variables from the target process's /proc filesystem entry. The vulnerable code directly used the PYTHONPATH value from a process's environment to set the PYTHONPATH environment variable before invoking the Python interpreter. This design flaw allows an attacker who can control a process's environment variables to inject a malicious Python module path that gets executed with root privileges when needrestart processes that particular entry.
The vulnerability is classified as CWE-427 (Uncontrolled Search Path Element), which occurs when an application searches for resources in a location that is under the control of malicious actors.
Root Cause
The root cause stems from insecure environment variable handling in the NeedRestart/Interp/Python.pm module. The original implementation directly copied the PYTHONPATH environment variable from target processes without proper validation or sandboxing. When needrestart invoked the Python interpreter to analyze running processes, it inherited this attacker-controllable path, allowing arbitrary Python modules to be loaded and executed with elevated privileges.
Attack Vector
An attacker with local access to the system can exploit this vulnerability by:
- Creating a malicious Python module in a controlled directory
- Setting the PYTHONPATH environment variable in a running process to point to the malicious directory
- Waiting for needrestart to scan the process (typically triggered automatically after package updates)
- When needrestart invokes Python with the attacker's PYTHONPATH, the malicious module executes with root privileges
The following patch demonstrates the security fix applied in version 3.8:
}
# prepare include path environment variable
- my %e = nr_parse_env($pid);
+ my @path;
local %ENV;
+
+ # get include path from env
+ my %e = nr_parse_env($pid);
if(exists($e{PYTHONPATH})) {
- $ENV{PYTHONPATH} = $e{PYTHONPATH};
- }
- elsif(exists($ENV{PYTHONPATH})) {
- delete($ENV{PYTHONPATH});
+ @path = map { "/proc/$pid/root/$_"; } split(':', $e{PYTHONPATH});
}
- # get include path
+ # get include path from sys.path
my ($pyread, $pywrite) = nr_fork_pipe2($self->{debug}, $ptable->{exec}, '-');
print $pywrite "import sys\nprint(sys.path)\n";
close($pywrite);
my ($path) = <$pyread>;
close($pyread);
# look for module source files
- my @path;
if(defined($path)) {
chomp($path);
$path =~ s/^\['//;
Source: GitHub Commit Changes
The patch removes the direct assignment of PYTHONPATH to the environment and instead resolves paths through the process's root filesystem namespace, preventing arbitrary path injection.
Detection Methods for CVE-2024-48990
Indicators of Compromise
- Suspicious processes with unusual PYTHONPATH environment variables pointing to non-standard directories
- Unexpected Python modules in user-writable directories that are referenced in process environments
- Anomalous root-level Python execution shortly after package update operations
- Log entries indicating needrestart execution with unusual timing or parameters
Detection Strategies
- Monitor for processes setting PYTHONPATH to user-writable directories such as /tmp, /var/tmp, or home directories
- Implement file integrity monitoring on critical system directories to detect suspicious Python module creation
- Audit needrestart execution logs for signs of abnormal behavior or unexpected Python interpreter invocations
- Deploy endpoint detection rules to flag privilege escalation patterns involving Python interpreter manipulation
Monitoring Recommendations
- Enable detailed logging for needrestart operations and correlate with system authentication logs
- Monitor /proc/*/environ access patterns for reconnaissance activity targeting environment variables
- Implement real-time alerting on root-level process execution involving Python with non-standard module paths
- Track file creation events in common staging directories that could host malicious Python modules
How to Mitigate CVE-2024-48990
Immediate Actions Required
- Upgrade needrestart to version 3.8 or later immediately on all affected systems
- Audit systems for signs of prior exploitation, particularly checking for unusual Python modules in non-standard locations
- Review process environment variables for suspicious PYTHONPATH configurations
- Consider temporarily disabling needrestart on critical systems until patching is complete
Patch Information
The vulnerability has been addressed in needrestart version 3.8. The security patch modifies the NeedRestart/Interp/Python.pm module to resolve PYTHONPATH entries through the target process's root filesystem namespace rather than directly inheriting the environment variable. Organizations should apply this update through their distribution's package management system.
For additional details, refer to the GitHub Commit Changes, the Qualys NeedRestart Advisory, and the Debian LTS Announcement.
Workarounds
- Disable needrestart's interpreter scanning functionality by setting $nrconf{interpscan} = 0; in /etc/needrestart/needrestart.conf
- Remove or disable needrestart entirely if the service restart notification functionality is not required
- Implement strict file system permissions to prevent creation of malicious Python modules in common directories
- Use mandatory access control systems (SELinux, AppArmor) to restrict needrestart's ability to execute Python with arbitrary paths
# Disable interpreter scanning in needrestart configuration
echo '$nrconf{interpscan} = 0;' | sudo tee -a /etc/needrestart/needrestart.conf
# Alternatively, upgrade needrestart to patched version
sudo apt update && sudo apt install needrestart
# Verify installed version is 3.8 or later
needrestart --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
