Microsoft uncovered vulnerabilities in Linux systems that could be used to grant attackers root access if they were chained together.
The flaws, dubbed "Nimbuspwn," are detected in networkd-dispatcher, a dispatcher daemon for systemd-networkd connection status changes in Linux, and are labelled as CVE-2022-29799 and CVE-2022-29800. As part of a code review and dynamic analysis effort, Microsoft found the vulnerabilities while listening to signals on the System Bus.
Microsoft’s Jonathan Bar Or explained, “Reviewing the code flow for networkd-dispatcher revealed multiple security concerns, including directory traversal, symlink race, and time-of-check-time-of-use race condition issues, which could be leveraged to elevate privileges and deploy malware or carry out other malicious activities.”
“The vulnerabilities can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution.”
He went on to state that ransomware attackers might use Nimbuspwn as a route for root access in order to have a significant impact on affected machines.
Clayton Craft, the maintainer of the networkd-dispatcher, apparently worked promptly to remedy the flaws after responsibly revealing the bugs.
Linux users who are affected are recommended to apply patches as soon as they become available.
Although Nimbuspwn has the potential to affect a huge number of people, attackers would first need local access to the targeted systems in order to exploit the flaws.
Mike Parkin, senior technical engineer at Vulcan Cyber argued, “Any vulnerability that potentially gives an attacker root-level access is problematic. Fortunately, as is common with many open-source projects, patches for this new vulnerability were quickly released.”
“While susceptible configurations aren’t uncommon, exploiting these vulnerabilities appears to require a local account and there are multiple ways to mitigate them beyond the recommended patching. There is currently no indication that these vulnerabilities have been exploited in the wild.”