Microsoft has discovered vulnerabilities in Linux systems that could be chained to provide attackers with root access.
Named “Nimbuspwn,” the bugs have been identified as CVE-2022-29799 and CVE-2022-29800, and are found in networkd-dispatcher – a dispatcher daemon for systemd-networkd connection status changes in Linux.
Microsoft discovered the vulnerabilities while listening to messages on the System Bus as part of a code review and dynamic analysis effort.
“Reviewing the code flow for networkd-dispatcher revealed multiple security concerns, including directory traversal, symlink race, and time-of-check-time-of-use race condition issues, which could be leveraged to elevate privileges and deploy malware or carry out other malicious activities,” explained Microsoft’s Jonathan Bar Or.
“The vulnerabilities can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution.”
He added that Nimbuspwn could also be exploited as a vector for root access by ransomware attackers in order “to achieve greater impact on vulnerable devices.”
After responsibly disclosing the bugs, the maintainer of the networkd-dispatcher, Clayton Craft, reportedly worked quickly to resolve the issues.
Affected Linux users are urged to patch their systems as soon as updates become available.
Although Nimbuspwn could potentially impact a large swathe of users, attackers would need local access to targeted systems first in order to leverage the vulnerabilities.
“Any vulnerability that potentially gives an attacker root level access is problematic. Fortunately, as is common with many open-source projects, patches for this new vulnerability were quickly released,” argued Mike Parkin, senior technical engineer at Vulcan Cyber.
“While susceptible configurations aren’t uncommon, exploiting these vulnerabilities appears to require a local account and there are multiple ways to mitigate them beyond the recommended patching. There is currently no indication that these vulnerabilities have been exploited in the wild.”
