The vulnerabilities collectively referred to as Nimbuspwn could be chained together to gain root privileges, allowing an attacker to create backdoors, deploy malicious payloads, and perform root code execution.
Microsoft says Nimbuspwn vulnerabilities could potentially be leveraged as a vector for ransomware deployment and other sophisticated threats, including nation-state cyber-espionage.
Nimbuspwn Linux privilege escalation vulnerability explained
Microsoft 365 defender research team began by listening to messages on the system bus leading them to review the code for the networkd-dispatcher.
They discovered information leaks via Directory Info Disclosure in Blueman and Directory Info Disclosure in PackageKit (CVE-2022-0987). Further probes led to the discovery of more issues on the networkd-dispatcher whose daemon runs at boot with root privileges.
A review of networkd-dispatcher code led to the discovery of directory traversal, symlink race, and time-of-check-time-of-use race conditions.
Microsoft says the networkd-dispatcher daemon used the “_run_hooks_for_state” method to discover and run scripts depending on the network state.
The method returns executable script files from the “/etc/networkd-dispatcher/.d” owned by the root user and the root group. The daemon then runs each script using the subprocess.Popen process.
Vulnerabilities in the networkd-dispatcher components:
The use of symbolic links – Microsoft discovered that the subprocess.Popen follows symbolic links in the discovery and running of scripts in the base directory.
Directory traversal vulnerability (CVE-2022-29799) – Microsoft discovered that the control flow fails to sanitize the OperationalState and the AdministrativeState states. Since the states are responsible for creating the executable script paths, an attacker could escape the “/etc/networkd-dispatcher” directory using the “../../” directory traversal patterns.
Time-of-check-time-of-use race condition (CVE-2022-29800) – Microsoft discovered a time gap between the discovery and execution of the root scripts. The delay could allow an attacker to replace the root scripts and trick the networkd-dispatcher that they belong to the root.
Nimbuspwn Linux privilege escalation vulnerability bottlenecks
Microsoft suggested that the privilege escalation flaw was challenging to exploit. The researchers indicated that an attacker could win the race conditions in three attempts to exploit the vulnerability successfully.
Similarly, the researchers noted that an attacker required a system bus such as “org.freedesktop.network1” that can send signals to exploit the Nimbuspwn privilege escalation vulnerability. However, owning such a system bus was not a trivial undertaking.
Unfortunately, some Linux environments such as Linux Mint have the systemd-networkd process that owns the “org.freedesktop.network1” bus name and does not start at boot by default.
Similarly, some Linux systems have processes running as the systemd-network user that owns the bus name and can run arbitrary code from world-writable locations. Microsoft partly attributed this vulnerability to user misconfiguration.
Consequently, exploiting the Nimbuspwn privilege escalation vulnerability could depend on the host Linux environment and the user’s configuration settings.
“This is an interesting set of vulnerabilities affecting Linux desktop users,” Casey Bisson, Head of Product and Developer Relations at BluBracket, said. “The risk footprint could be broad: Linux desktops aren’t just for hobbyists; tens of thousands of Google employees use a derivative of Debian as their desktop OS, and there are a number of other notable corporate, government, and research facilities that have large Linux desktop deployments.”
Microsoft disclosed that the networkd-dispatcher maintainer had availed security patches for the privilege escalation vulnerability.
The company encouraged users to update their systems, adding that most attacks exploited unpatched vulnerabilities as the attack vector.
“Fixes for these vulnerabilities, now identified as CVE-2022-29799 and CVE-2022-29800, have been successfully deployed by the maintainer of the networkd-dispatcher, Clayton Craft,” Microsoft’s Jonathan Bar Or wrote. “We wish to thank Clayton for his professionalism and collaboration in resolving those issues. Users of networkd-dispatcher are encouraged to update their instances.”
Additionally, Microsoft recommended a “proactive vulnerability management approach” that identifies and mitigates previously unknown vulnerabilities.
The company also recommended installing endpoint security solutions capable of detecting the directory traversal vulnerability required to complete the Nimbuspwn attack chain.
“This is a solid find by Microsoft made more interesting by the fact that the Linux aspects included in Microsoft wouldn’t include this,” John Bambenek, Principal Threat Hunter at Netenrich. “This is the kind of intra-platform cooperation that will greatly enhance our security going forward.”