Privilege escalation vulnerabilities discovered in Linux known as Nimbuspwn

Written by Aarush Ahuja
Co-founder @ FourCore
nimbuspwn vulnerability in linux

On April 26 2022, Microsoft's 365 Defender Research team published a bunch of new vulnerabilities in Linux dubbed Nimbuspwn. These flaws have been identified as CVE-2022-29799 and CVE-2022-29800. Chaining these flaws together allows attackers to gain root privileges on a vulnerable system. We'll take a look at the flaws present, how an attacker can exploit them and how you can detect if your systems are vulnerable to Nimbuspwn.

Users of networkd-dispatcher are recommended to update their packages to mitigate the vulnerability.

What is Nimbuspwn?

Nimbuspwn is a group of two vulnerabilities in the systemd component, networkd-dispatcher which contained security flaws such as directory traversal, symlink race and time-of-check-time-of-use (TOCTOU) race conditions. The vulnerabilities are assigned two CVEs: CVE-2022-29799 is assigned for the directory traversal issue and CVE-2022-29800 is assigned for the symlink race and TOCTOU race condition. Both of these vulnerabilities can be chained together to escalate to root privileges on a compromised system.

nimbuspwn flow chart
How Nimbuspwn exploit works

The researchers at Microsoft developed an exploit that was able to run an arbitrary script as root. This exploit copied /bin/sh to the /tmp directory, set /tmp/sh as Set-UID executable and invokes /tmp/sh -p to start a root shell!

Are you vulnerable to Nimbuspwn?

Jfrog has released a convenient script to help you detect if your systems are vulnerable to Nimbuspwn. A Linux system should be deemed vulnerable to Nimbuspwn if the following conditions are met:

  1. The vulnerable service networkd-dispatcher service is running.
  2. The systemd-networkd service is either not running or not set to run at next boot. Since this service owns the org.freedesktop.network1 bus on startup, an attacker will not be able to send messages on the bus if this service is running.
  3. The systemd-network user is in use. Specifically whether a process owned by this user is running, or that there exist setuid-executables owned by this user. An attacker must run code as the systemd-network user in order to own the org.freedesktop.network1 bus name and exploit the vulnerability. The attacker may be able to subvert these processes and/or setuid-executables to run arbitrary code. Note that the existence of such processes or binaries does not guarantee they can be subverted for arbitrary code execution by an attacker.

Running the detector script on my Ubuntu 20.04 based AWS EC2 Instance identifies it as not vulnerable to Nimbuspwn!

nimbuspwn detection script
Nimbuspwn detector on Ubuntu 20.04

Steps to run the detector script:

  1. Clone the respository:
1$ git clone https://github.com/jfrog/nimbuspwn-tools.git
  1. Give the script permissions:
1$ cd nimbuspwn-tools
2$ chmod +x nimbuspwn-detector.sh
  1. Run the nimbuspwn-detector.sh script:
1$ ./nimbuspwn-detector.sh
2Checking networkd-dispatcher process...
3Checking systemd-networkd process...
4It's unlikely that this system is vulnerable to Nimbuspwn, since systemd-networkd is running and enabled, preventing takeover of org.freedesktop.network1 messages

References