Microsoft has revealed that it discovered a list of vulnerabilities that could allow bad actors to gain root system rights on Linux systems. Collectively called Nimbuspwn, the vulnerabilities could potentially be leveraged by attackers as a vector for root access by more sophisticated threats including malware and ransomware, the software giant said. The security flaws exist in a system component that is widely available on Linux distributions. Fixes for the reported vulnerabilities have been deployed by the maintainer of the component.
In a detailed blog post, Microsoft said that the vulnerabilities discovered by the Microsoft 365 Defender Research team could be grouped together to gain root privileges on Linux systems and allow attackers to execute ransomware attacks or malicious actions using arbitrary code.
The vulnerabilities, tracked as CVE-2022-29799 and CVE-2022-29800, were found in the component called networkd-dispatcher, which helps provide network status updates. It runs as root when a system starts to dispatch network status changes and run scripts to respond to a new network status.
However, it was discovered that the system component included a method "_run_hooks_for_state" that allows hackers to gain access to the “/etc/networkd-dispatcher” base directory. The method essentially exposes the Linux system to the directory traversal vulnerability, which is identified as CVE-2022-29799, by not sanitising the OperationalState or the AdministrativeState, according to the Microsoft researchers.
The same method is also found to have the Time-of-check-time-of-use (TOCTOU) race condition flaw, which is tracked as CVE-2022-29800. This particular flaw allows attackers to replace scripts that networkd-dispatcher believes to be owned by root with the ones that contain malicious code, the researchers said.
An attacker may use multiple malicious scripts one after another to exploit the vulnerability.
Microsoft researchers shared a proof-of-concept where they highlighted that in three attempts, they were able to win the race condition flaw and successfully plant their files.
As ArsTechnica notes, a hacker with minimal access to a vulnerable system can exploit the reported vulnerabilities to gain full root access.
Microsoft Principal Security Researcher Jonathan Bar Or told Gadgets 360 that the flaws have been fixed in the latest version of network-dispatcher. Users will be able to find the new version in a systemd update on their Linux machines. Otherwise, they can deploy the patches by manually install the latest network-dispatcher build.
Users can determine the existence of the vulnerabilities on their systems by using the details shared by Microsoft researchers. If the machines are vulnerable, it is highly recommended to look for the fixes.
Affiliate links may be automatically generated - see our ethics statement for details.