Linux Nimbuspwn flaws could allow attackers to deploy sophisticated threats

Pierluigi Paganini April 27, 2022

Microsoft disclosed two Linux privilege escalation flaws, collectively named Nimbuspwn, that could allow conducting various malicious activities.

The Microsoft 365 Defender Research Team has discovered two Linux privilege escalation flaws (tracked as CVE-2022-29799 and CVE-2022-29800) called “Nimbuspwn,” which can be exploited by attackers to conduct various malicious activities, including the deployment of malware.

“The vulnerabilities can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution.” reads the advisory published by Microsoft.

The flaws can be exploited by attackers to achieve root access to the target systems and deploy by more sophisticated threats, such as ransomware.

The flaws reside in the systemd component called networked-dispatcher, which is dispatcher daemon for systemd-networkd connection status changes.

The review of the code flow for networkd-dispatcher revealed multiple security issues, including directory traversal, symlink race, and time-of-check-time-of-use race condition issues.

The researchers started enumerating services that run as root and listen to messages on the System Bus, performing both code reviews and dynamic analysis.

Chaining the issues, an attacker in control of a rogue D-Bus service that can send an arbitrary signal, can deploy backdoors on the compromised final touches.

Linux Nimbuspwn flaws

The researchers were able to develop their own exploit that runs an arbitrary script as root. The exploit also copies /bin/sh to the /tmp directory, sets /tmp/sh as a Set-UID (SUID) executable, and then invokes “/tmp/sh -p”. (the “-p” flag is necessary to force the shell to not drop privileges)

Researchers recommend users of networkd-dispatcher to update their installs.

“To address the specific vulnerabilities at play, Microsoft Defender for Endpoint’s endpoint detection and response (EDR) capabilities detect the directory traversal attack required to leverage Nimbuspwn.” concludes the post.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit:  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Nimbuspwn flaws)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment