CVE-2024-48992: 
Linux Debian vulnerability analysis and mitigation

Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Ruby interpreter with an attacker-controlled RUBYLIB environment variable. The vulnerability was discovered and disclosed in November 2024, affecting needrestart installations on various Linux distributions, particularly Ubuntu Server since version 21.04 where it is installed by default (Qualys Advisory, Ubuntu Blog).

The vulnerability exists in needrestart's interpreter scanning feature, which was introduced in version 0.8 (April 2014). When needrestart processes a Ruby interpreter, it extracts and sets the RUBYLIB environment variable from the process's /proc/pid/environ. This allows an attacker to control the environment and execute arbitrary code through a specially crafted shared library 'enc/encdb.so'. The vulnerability has been assigned a CVSS 3.1 Base Score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows local attackers to execute arbitrary code with root privileges, effectively providing a complete system compromise. This is particularly concerning as needrestart runs automatically during package updates through unattended-upgrades, requiring no user interaction for exploitation (Qualys Advisory).

The primary mitigation is to update to needrestart version 3.8 or later. For systems where updates cannot be immediately applied, a temporary workaround is available by editing /etc/needrestart/needrestart.conf to disable interpreter scanners by adding the line '$nrconf{interpscan} = 0;' (Ubuntu Blog, Qualys Advisory).