The Microsoft 365 Defender research team has revealed several new Linux vulnerabilities collectively dubbed “Nimbuspwn”. Like the Dirty Pipe vulnerability, they only require a local user with low abilities to elevate privileges, but this time the exploit seems much more specific and focuses on “networkd-dispatcher”, a systemd component which handles connection state changes.
The Nimbuspwn collection of vulnerabilities is registered as CVE-2022-29799 (Directory Traversal) and CVE-2022-29800 (TOCTOU race conditions). Researchers found that the logic implemented in the networkd-dispatcher component does not clean up critical elements used to build the script path, which could be exploited to escape the /etc/networkd-dispatcher/ directory.
Additionally, Microsoft researchers discovered a dangerous delay (hence the TOCTOU, time-of-check-time-of-use) between scripts discovered by the component and when they are actually executed. Hackers could exploit these gaps to replace the scripts with their own.
The researchers concluded that attackers could use these vulnerabilities to send an arbitrary signal. This is only possible under specific conditions, but they may force networkd-dispatcher to run certain scripts blindly and as root. Attackers can use it to perform additional tasks such as distributing malware or deploying ransomware.
See the top 10 open source vulnerability assessment tools
Nimbuspwn Operation Steps
Microsoft researchers have described all the steps in a very explanatory diagram (image below) that shows how attackers could chain exploits to hijack networkd-dispatcher and gain root privileges:
Daemons and D-Bus
To understand how Nimbuspwn works, you need a basic overview of the Linux components involved, like daemons and buses.
Daemons are utility programs that run in the background to monitor and maintain certain subsystems. They perform very precise actions at predefined times or trigger for certain events. Anytime you see a process that ends with the letter d, it’s a daemon. You can test it with the ps command or by using built-in utilities like High.
So “networkd” stands for “network daemon”, and researchers were intrigued by the fact that the networkd-dispatcher daemon runs at boot time with root privileges on the system. If you have the component, you can verify it with the following command in the terminal:
ps -U root -u root u | grep networkd-dispatcher
D-Bus stands for “Desktop Bus” and allows communication between processes. This mechanism is developed by the freedesktop project and provides the necessary abstraction (or “software bus”, a model facilitating communication between software modules) to ensure that all processes connected to the bus can communicate with each other efficiently.
Linux systems (e.g. desktop environments) use D-Bus to instantiate multiple buses, including a single system bus available to all system users and processes, which provide access to system services.
Because root-owned system services listen and respond to the system bus, it’s an attractive target for hackers.
Own the org.freedesktop.network1 bus
To achieve their feat, the researchers needed to own the bus name org.freedesktop.network1 under a privileged service:
Such a bus name normally belongs to the systemd-networkd service, but hackers can change it if they manage to get an unauthorized D-Bus.
These vulnerabilities can seem a little tricky to string together and exploit, and researchers had to plant multiple files and make multiple attempts to earn the TOCTOU race condition. However, they provided a backdoor using Nimbuspwn, which allowed them to bypass the exploit when they wanted to use root commands again.
Any vulnerability that allows root elevation should be taken seriously, no matter how difficult it is to exploit.
See the best vulnerability management tools
How to Protect Against Nimbuspwn
At the time of writing, there is no official list of affected environments and distributions, but the Microsoft research team mentioned Linux Mint, a lightweight distribution based on Ubuntu, a Debian-based operating system and perhaps the most popular Linux distribution.
A quick search can help you identify all distributions that may contain the vulnerable component. Clayton Craft, the maintainer of networkd-dispatcher, fixed the vulnerabilities, so if you have the component enabled, you are strongly encouraged to update.
However, and this is good news in this case, the component may not be installed by default in all distributions. You can check it manually, but there is already a free open source detector available on GitHub that will check if the process is running on your system.
More generally, Nimbuspwn shows how important it is to monitor all endpoints, including Linux devices. There are a growing number of vulnerabilities and exploits in Linux systems and components, and that won’t stop any time soon, as Linux is prevalent in many cloud-based architectures and servers.
For me, the major problem with such flaws is that they are often underestimated, mainly because they require a local user, so hackers must already be in a machine to exploit them. This is no valid reason to neglect risk, as lateral moves and privilege escalations have become part of the hacker’s routine.
You can’t rely on just one layer of security, and organizations need to prepare for post-exploitation techniques.
Read more: Best endpoint detection and response (EDR) solutions
