Servers NeedRestart - The Problem with CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003
Qualys recently found not one, not two, not three but literally five vulnerabilities inside of a tool that is installed on every single ubuntu server by default that leads to direct privilege escalation.
They all happen inside of a package called needrestart which is written in perl and ostensibly exists to see if the system or services on said system need to be restarted after an update -- for instance after running 'sudo apt-get install mynewtoy' - something a lot of people will be doing just to "mitigate" this set of vulnerabilities. Re-read that again.
There are so many things wrong with this that it makes you want to pull your hair out and this type of problem is totally preventable.
I was going to write a tweet about this and be done with it but this is precisely the type of stupidity that happens on almost every single cloud server today. It is not because the end users are dumb - it is because they don't know of tools that exist that allow them to not have to deal with these issues.
Just to be clear - I don't have a problem with the authors of this particular application. I don't have a problem with debian/ubuntu maintainers/employees. I have a problem with the idea that we should be provisioning servers that are explicitly designed to run many different applications written in many different languages by many different users when we have the technology to not do that.
