Nimbuspwn bugs allow attackers to gain root privileges on some Linux machines (CVE-2022-29799, CVE-2022-29800)
Microsoft has unearthed two security vulnerabilities (CVE-2022-29799, CVE-2022-29800) in the networkd-dispatcher daemon that may be exploited by attackers to gain root on many Linux endpoints, allowing them to deploy backdoors, malware, ransomware, or perform other malicious actions.
About the vulnerabilities (CVE-2022-29799, CVE-2022-29800)
CVE-2022-29799 is a directory traversal bug; CVE-2022-29800 is a time-of-check-time-of-use (TOCTOU) race condition that could allow an attacker to replace scripts that networkd-dispatcher (the vulnerable systemd unit) believes to be owned by root to ones that are not. Add to this a symlink race condition that was also simultaneously discovered by the researchers, and you have an open path to achieving elevation of privilege.
In their experiments, researchers managed to win the TOCTOU race condition in three attempts:
They’ve also made the exploit deliver a root backdoor, to allow for permanent root capabilities.
Jonathan Bar Or from the Microsoft 365 Defender Research Team detailed their discovery in this blog post, and said that Clayton Craft – the maintainer of the networkd-dispatcher – has fixed them earlier this month.
The question now remains which Linux distributions use the vulnerable networkd-dispatcher.
Bar Or says that their exploit is effective only if it can use the “org.freedesktop.network1” bus name – and this is possible in several environments.
He mentions Linux Mint, which is based on Ubuntu (which, in its turn, is based on Debian), and a quick search reveals that networkd-dispatcher is packaged in those distros – though possibly not installed by default on all installations.
To conclude: While the danger of wide exploitation of the Nimbuspwn bugs looks to be much lower than that of the recently discovered Dirty Pipe and PwnKit flaws, Linux users and admins should be on the lookout for patches and implement them if/when they become available.
It’s true that vulnerabilities that allow local elevation of privilege are less critical that those that allow unauthenticated remote code execution, as attackers must first find a way to gain access to the target system before even thinking about starting to exploit them. Still, they are regularly taken advantage of by attackers – Dirty Pipe (CVE-2022-0847) has, for example, been added to CISA’s Known Exploited Vulnerabilities Catalog on Monday.