CVE-2024-48990: 
Linux Debian vulnerability analysis and mitigation

Qualys discovered a critical vulnerability in needrestart (CVE-2024-48990) before version 3.8, which allows local attackers to execute arbitrary code as root. The vulnerability exists by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable. This vulnerability has existed since the introduction of interpreter support in needrestart 0.8 in April 2014 (Qualys Advisory).

The vulnerability occurs when needrestart processes Python interpreter instances. When determining whether a Python process needs to be restarted, needrestart extracts the PYTHONPATH environment variable from the process's /proc/pid/environ and sets this environment variable before executing Python. If a Python process belongs to a local attacker, needrestart executes Python with the attacker-controlled PYTHONPATH environment variable, enabling arbitrary code execution as root. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 HIGH with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows local attackers to gain root privileges on affected systems. This is particularly critical for Ubuntu Server installations since version 21.04, where needrestart is installed by default. The impact is heightened because the vulnerability can be exploited without user interaction through unattended-upgrades (Ubuntu Blog).

The primary mitigation is to update to needrestart version 3.8 or later. If immediate updating is not possible, a temporary workaround is to disable the interpreter scanners by adding '$nrconf{interpscan} = 0;' to /etc/needrestart/needrestart.conf. However, this should only be applied as a last resort and the configuration should be restored once updates are applied (Ubuntu Blog).