at GISEC 2024 Last Updated on Fri April 29, 2022
Privilege escalation vulnerabilities discovered in Linux known as Nimbuspwn
On April 26 2022, Microsoft's 365 Defender Research team published a bunch of new vulnerabilities in Linux dubbed Nimbuspwn. These flaws have been identified as CVE-2022-29799 and CVE-2022-29800. Chaining these flaws together allows attackers to gain root privileges on a vulnerable system. We'll take a look at the flaws present, how an attacker can exploit them and how you can detect if your systems are vulnerable to Nimbuspwn.
Users of networkd-dispatcher are recommended to update their packages to mitigate the vulnerability.
What is Nimbuspwn?
Nimbuspwn is a group of two vulnerabilities in the systemd component, networkd-dispatcher which contained security flaws such as directory traversal, symlink race and time-of-check-time-of-use (TOCTOU) race conditions. The vulnerabilities are assigned two CVEs: CVE-2022-29799 is assigned for the directory traversal issue and CVE-2022-29800 is assigned for the symlink race and TOCTOU race condition. Both of these vulnerabilities can be chained together to escalate to root privileges on a compromised system.
The researchers at Microsoft developed an exploit that was able to run an arbitrary script as root. This exploit copied /bin/sh to the /tmp directory, set /tmp/sh as Set-UID executable and invokes /tmp/sh -p to start a root shell!
Are you vulnerable to Nimbuspwn?
Jfrog has released a convenient script to help you detect if your systems are vulnerable to Nimbuspwn. A Linux system should be deemed vulnerable to Nimbuspwn if the following conditions are met:
- The vulnerable service
networkd-dispatcherservice is running. - The
systemd-networkdservice is either not running or not set to run at next boot. Since this service owns theorg.freedesktop.network1bus on startup, an attacker will not be able to send messages on the bus if this service is running. - The
systemd-networkuser is in use. Specifically whether a process owned by this user is running, or that there exist setuid-executables owned by this user. An attacker must run code as thesystemd-networkuser in order to own theorg.freedesktop.network1bus name and exploit the vulnerability. The attacker may be able to subvert these processes and/or setuid-executables to run arbitrary code. Note that the existence of such processes or binaries does not guarantee they can be subverted for arbitrary code execution by an attacker.
Running the detector script on my Ubuntu 20.04 based AWS EC2 Instance identifies it as not vulnerable to Nimbuspwn!
Steps to run the detector script:
- Clone the respository:
1$ git clone https://github.com/jfrog/nimbuspwn-tools.git
- Give the script permissions:
1$ cd nimbuspwn-tools 2$ chmod +x nimbuspwn-detector.sh
- Run the
nimbuspwn-detector.shscript:
1$ ./nimbuspwn-detector.sh 2Checking networkd-dispatcher process... 3Checking systemd-networkd process... 4It's unlikely that this system is vulnerable to Nimbuspwn, since systemd-networkd is running and enabled, preventing takeover of org.freedesktop.network1 messages
References
