CVE-2024-48992 Overview
CVE-2024-48992 is a local privilege escalation vulnerability discovered by Qualys in needrestart, a utility commonly used on Linux systems to determine which daemons need to be restarted after library upgrades. Before version 3.8, needrestart allows local attackers to execute arbitrary code as root by manipulating the RUBYLIB environment variable, tricking needrestart into running the Ruby interpreter with attacker-controlled library paths.
Critical Impact
Local attackers with low privileges can achieve root-level code execution on affected systems, potentially leading to complete system compromise.
Affected Products
- needrestart_project needrestart (versions prior to 3.8)
- Linux distributions using needrestart for daemon restart detection
- Debian-based systems with needrestart installed
Discovery Timeline
- 2024-11-19 - CVE-2024-48992 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-48992
Vulnerability Analysis
This vulnerability falls under CWE-427 (Uncontrolled Search Path Element), where the needrestart utility fails to properly sanitize environment variables when invoking the Ruby interpreter. The flaw exists in the Ruby interpreter detection module (perl/lib/NeedRestart/Interp/Ruby.pm), which inherits environment variables including RUBYLIB from the calling process.
When needrestart runs with elevated privileges (typically as root during system updates), it invokes various language interpreters to detect which processes require restarting. A local attacker can set the RUBYLIB environment variable to point to a directory containing malicious Ruby libraries. When needrestart subsequently invokes the Ruby interpreter, these malicious libraries are loaded with root privileges, enabling arbitrary code execution.
The vulnerability requires local access and low privileges, but does not require user interaction. Successful exploitation grants attackers complete control over the affected system with root-level access to confidentiality, integrity, and availability.
Root Cause
The root cause is the failure to sanitize or isolate the RUBYLIB environment variable before invoking the Ruby interpreter. The needrestart Ruby interpreter module directly passes through environment variables from the parent process, allowing an attacker to inject malicious library paths that Ruby will load during execution.
Attack Vector
The attack requires local access to the target system. An attacker with low-privilege shell access can:
- Create a malicious Ruby library in a controlled directory
- Set the RUBYLIB environment variable to point to this directory
- Trigger needrestart execution (which typically runs automatically during package updates)
- Achieve code execution as root when needrestart invokes the Ruby interpreter
The following patch shows the security fix implemented in the Ruby interpreter module:
use parent qw(NeedRestart::Interp);
use Cwd qw(abs_path getcwd);
+use File::Temp qw(tempdir);
use Getopt::Std;
use NeedRestart qw(:interp);
use NeedRestart::Utils;
my $LOGPREF = '[Ruby]';
+my $empty_dir;
needrestart_interp_register(__PACKAGE__, "ruby");
Source: GitHub Commit Changes
The patch introduces a temporary empty directory mechanism to prevent the RUBYLIB environment variable from being exploited by ensuring the Ruby interpreter does not load libraries from attacker-controlled paths.
Detection Methods for CVE-2024-48992
Indicators of Compromise
- Suspicious RUBYLIB environment variable values pointing to user-writable directories
- Unexpected Ruby library files in /tmp or user home directories
- Process execution logs showing needrestart invoking Ruby with unusual environment configurations
- Root-level processes spawned from Ruby interpreters during package update operations
Detection Strategies
- Monitor for modifications to environment variables when needrestart is invoked
- Audit Ruby library paths for unauthorized or unexpected files in user-controlled directories
- Implement file integrity monitoring on system directories where needrestart operates
- Review system logs for unusual privilege escalation patterns during package management operations
Monitoring Recommendations
- Enable audit logging for needrestart process executions and associated environment variables
- Monitor for Ruby interpreter invocations with non-standard library paths
- Set up alerts for new file creation in /tmp directories with .rb extensions preceding needrestart execution
- Track privilege escalation events correlated with package update activities
How to Mitigate CVE-2024-48992
Immediate Actions Required
- Update needrestart to version 3.8 or later immediately
- Audit systems for signs of exploitation, particularly unauthorized root-level processes
- Review recent package update logs for suspicious activity
- Consider temporarily disabling needrestart until patching is complete on critical systems
Patch Information
The vulnerability has been addressed in needrestart version 3.8. The fix prevents the RUBYLIB environment variable from being passed to the Ruby interpreter by using a controlled empty directory for library paths.
Patch details are available in the GitHub Commit Changes. Additional vendor guidance can be found in the Qualys Security Advisory and the Debian LTS Announcement.
Workarounds
- Temporarily disable the Ruby interpreter scanning in needrestart configuration
- Restrict access to needrestart execution through proper file permissions
- Implement AppArmor or SELinux policies to limit needrestart's ability to execute interpreters with inherited environment variables
- Consider removing needrestart from systems where it is not strictly required until patching is completed
# Disable Ruby interpreter scanning in needrestart configuration
# Add the following to /etc/needrestart/needrestart.conf
$nrconf{interpscan} = 0;
# Alternatively, specifically disable Ruby interpreter detection
# by adding Ruby to the blacklist
$nrconf{blacklist_interp} = ['ruby'];
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
