Skip to content

New Linux vulnerabilities let attackers install ransomware or backdoors

  • by
  • 2 min read

Microsoft’s security researchers have disclosed two Linux vulnerabilities, namely CVE-2022-29799 and CVE-2022-29800, that can allow local attackers to gain admin privileges on Linux machines to do anything from deploying malware to backdoors even ransomware. 

Collectively tracked as Nimbuspwn, these vulnerabilities were disclosed in a report published on Wednesday. The discovery happened when researchers listened to the Linux System Bus messages, which made them look into the code flow for networkd-dispatcher. This component handles connection status changes. 

Networkd-dispatcher review led to multiple security concerns, including directory traversal, symlink race and time-of-check-time-of-use race condition issues, which can be leveraged to escalate privileges to deploy malware or other malicious software. Fixes for the new vulnerabilities have been released by Clayton Craft, the maintainer of the networkd-dispatcher. 

In the News: Critical VMware flaw exploited to install backdoors

Privilege escalation can cause headaches

The networkd-dispatcher daemon was running at boot with root privileges on the system; this further led the researchers to observe a method that the daemon called “run_hooks_for_state”, which was discovering and running scripts depending on the current network state. 

New Linux vulnerabilities let attackers install ransomware or backdoors

According to Microsoft’s report, this method has several security issues, as mentioned above. These include:

  • Directory Traversal (CVE-2022-29799): Since none of the functions in the program flow clean up the OperationalState or AdministrativeState, these states can be used to build a script patch, meaning a state containing directory traversal patterns can escape from the base directory (/etc/networkd-dispatcher).
  • Time-of-check-time-of-use race condition (CVE-2022-29800): There’s a certain time difference between the discovered and run scripts. This difference can be leveraged by an attacker to replace scripts, tricking the program into running scripts that a root user with root privileges doesn’t own. 

The two vulnerabilities can be used to let an attacker with local privileges run scripts and gain root access by sending arbitrary signals. Leveraging these vulnerabilities is possible only after the exploit code owns a bus name under a privileged service or process. 

There are several different Linux environments where this is possible, most notably Linux Mint.

In the News: $1 million worth of BAYC NFTs stolen in Instagram phishing hack


Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: