back to article 'Alarming' security bugs lay low in Linux's needrestart utility for 10 years

Researchers at Qualys refuse to release exploit code for five bugs in the Linux world's needrestart utility that allow unprivileged local attackers to gain root access without any user interaction. The security shop's Threat Research Unit (TRU) said it was able to develop a working exploit but wouldn't release it, describing …

  1. This post has been deleted by its author

  2. Doctor Syntax Silver badge

    I suppose that, as is usual with Linux utilities needrestart can be updated without needing a restart.

  3. Anonymous Coward
    Anonymous Coward

    General Linux utility

    Why is this presented as a 'Ubuntu Server utility'? It's availaible on most distros and not just for servers either.

    1. Henry 8

      Re: General Linux utility

      The Qualys post everyone is linking to says "The Qualys Threat Research Unit (TRU) has identified five Local Privilege Escalation (LPE) vulnerabilities within the needrestart component, which is installed by default on Ubuntu Server. " which seems to have been widely misinterpreted (in every report I've seen on this issue) as "this is a bug in Ubuntu Server"

    2. diodesign (Written by Reg staff) Silver badge

      Cos Qualys

      Hey - it's because Qualys focused on Ubuntu Server as it has the tool by default, and it's a widely used flavor. Yes, needrestart is present in other distros but not necessarily installed. It's not on my El Reg office Debian Linux workstation.

      Still, we've tweaked the piece to appeal more to everyone who has the thing installed, by default or by choice.

      C.

      1. Doctor Syntax Silver badge

        Re: Cos Qualys

        It seems to have been derived from another project checkrestartneeded. Both are in the repositories for Devuan and Debian but neither is installed on my desklaptop either. It's easy to see why. They're to make sure any updated libraries are broad into action by ensuring everything that runs them gets restarted. Desktop and laptops get rebooted fairly often (unless they're left running for the janitor to come round at night and fix everyone's problems for them) so it's really a server need where there are long-ruiing daemons. But Debian is pretty good at restarting daemons anyway. I wonder if its something that's used for setting up the .deb files before distribution.

  4. williamyf Bronze badge

    move to debiam ASAP

    As there are not enough eyeson ubuntu...

    or maybe the eyes were distracted? MIR&unity? Ubuntu phone? Snap?

  5. Anonymous Coward
    Anonymous Coward

    That's the achilles heal of Linux, no one is paid to fix obscure, boring bugs, it's not as sexy as working on the "latest thing".

    Similar issue with proprietory software, the bugs are obscure and boring, but at least for most commercial companies except for MS, there's usually an incentive to keep the paying customers reasonably happy and relatively safe. Relatively, I wrote, not absolutely.

  6. Gene Cash Silver badge

    From the Debian package description

    Features:

    - supports (but does not require) systemd

    - binary blacklisting (i.e. display managers)

    - tries to detect required restarts of interpreter based daemons (supports Java, Perl, Python, Ruby)

    - tries to detect required restarts of containers (docker, LXC)

    - tries to detect pending kernel upgrades

    - tries to detect pending microcode upgrades for Intel CPUs

    - could be used as nagios check_command

    - fully integrated into apt/dpkg using hooks

    Sounds like it a complex tool that has a lot on its plate.

    1. Joe W Silver badge
      Coat

      Re: From the Debian package description

      Well.

      It certainly tries hard...

      (and it should do - or do not

      I'll get my rain coat with the "Guide to Dagobah" in the pocket)

  7. the reluctant commentard

    Ubuntu page with which versions have the fix

    The article states that version 3.8 fixes the issue, however that is the version number of the source project on Github. Ubuntu backports fixes to various flavours of Ubuntu, and so the actual version number on an installation is different.

    Here is an Ubuntu page listing which versions contain the fix for each flavour of Ubuntu: https://ubuntu.com/blog/needrestart-local-privilege-escalation

  8. From the North

    An easy fix

    sudo apt remove needrestart

    Nothing valuable appears to be lost doing this.

    1. sabroni Silver badge

      Re: Nothing valuable appears to be lost doing this.

      How thoroughly did you check?

      The valuable thing this does is reboot after you install an update that needs a reboot. Without it you think you have installed the update but if the device hasn't rebooted then you don't.

      If you're installing updates to reduce vulnerabilities then switching this off could leave you unprotected until a manual reboot.

      You decide whether that is valuable. Given how infrequently linux machines are rebooted you could be vulnerable for a long time, right?

      1. bazza Silver badge

        Re: Nothing valuable appears to be lost doing this.

        Most of the times I’ve updated my Ubuntu server installations there’s been a fresh shiny kernel to reboot into anyway, and a manual reboot is required anyway. That does rather negate the value of having a tool that tries to work out whether anything else needs a reboot.

  9. bazza Silver badge

    Ah, the perils of having security critical code written in a scripting language. This is not the interpreter you were looking for, enjoy the experience!

  10. BPontius

    20/20 vision is hard through rose colored glasses

    Isn't "so many eyes on the code" supposed to prevent this, is that not the Linux security super power? The 33 year old rose colored glasses used to view Linux security needs a new prescription as the reality distorting lenes and utopic tinting is no longer protecting Linux users from seeing the harsh reality.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like