Microsoft discovered several vulnerabilities affecting Linux desktop computers. The vulnerabilities, collectively dubbed Nimbuspwn, can be chained together to achieve elevation of privileges and subsequently execute various malicious payloads, such as a root backdoor, via remote arbitrary root code execution. Identified as CVE-2022-29799 and CVE-2022-29800, the flaws could potentially be used as a vector for root access in more sophisticated attacks, including malware and ransomware.
How Did Microsoft Discover the Nimbuspwn Exploits?
Microsoft discovered the vulnerabilities by listening to messages on the System Bus while reviewing code and performing dynamic analysis on services that run as root. This is how the researchers noticed “an odd pattern in a systemd unit called networkd-dispatcher.” After closely reviewing the code, multiple security issues were uncovered, including directory traversal, symlink race, and time-of-check-time-of-use race condition issues. The discovery was shared “with the relevant maintainers through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR).” Fixes are now available, thanks to the maintainer of the networkd-displatcher unit, Clayton Craft.
CVE-2022-29799 and CVE-2022-29800 Vulnerabilities
Microsoft researcher Jonathan Bar Or reviewed the networkd-dispatcher source code and noticed that a component, known as “_run_hooks_for_state” implements specific logic that leaves Linux systems open to the directory traversal vulnerability, or CVE-2022-29799. It turned out that the “_run_hooks_for_state” component didn’t use functions that adequately sanitize the states used to build the proper script path. As a result, threat actors can leverage the weakness to break out of the “/etc/networkd-dispatcher” base directory.
However, run-hooks_for_state contains a second vulnerability, known as CVE-2022-29800, which leaves Linux systems vulnerable to the TOCTOU race condition. This is possible because of a certain time between the scripts being discovered and the scripts being run. Hackers can leverage CVE-2022-29800 to replace scripts that networkd-dispatcher believes to be owned by root with malicious ones.
Threat actors can chain the two vulnerabilities to achieve full root access. More technical details are available in Microsoft’s report.