Microsoft discovers Nimbuspwn privilege escalation vulnerabilities in Linux

Linux

Security researchers at Microsoft have found a series of vulnerabilities affecting Linux. Collectively named Nimbuspwn, the security flaws can be chained together to allow an attacker to gain root access to a system.

Microsoft warns that the vulnerabilities, which are being tracked as CVE-2022-29799 and CVE-2022-29800, could also be exploited to execute ransomware attacks and more.

See also:

Writing about its finding in a blog post, the Microsoft 365 Defender Research Team says: “Microsoft has discovered several vulnerabilities, collectively referred to as Nimbuspwn, that could allow an attacker to elevate privileges to root on many Linux desktop endpoints. The vulnerabilities can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution. Moreover, the Nimbuspwn vulnerabilities could potentially be leveraged as a vector for root access by more sophisticated threats, such as malware or ransomware, to achieve greater impact on vulnerable devices”.

The team continues:

We discovered the vulnerabilities by listening to messages on the System Bus while performing code reviews and dynamic analysis on services that run as root, noticing an odd pattern in a systemd unit called networkd-dispatcher. Reviewing the code flow for networkd-dispatcher revealed multiple security concerns, including directory traversal, symlink race, and time-of-check-time-of-use race condition issues, which could be leveraged to elevate privileges and deploy malware or carry out other malicious activities. We shared these vulnerabilities with the relevant maintainers through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). Fixes for these vulnerabilities, now identified as CVE-2022-29799 and CVE-2022-29800, have been successfully deployed by the maintainer of the networkd-dispatcher, Clayton Craft. We wish to thank Clayton for his professionalism and collaboration in resolving those issues.

The advice from Microsoft is that users of networkd-dispatcher should update their instances.

Details of the vulnerabilities can be found in the Microsoft 365 Defender Research Team blog post.

Image credit: jivacore / Shutterstock

Author: Martha Meyer