Microsoft’s security researchers have disclosed two Linux vulnerabilities, namely CVE-2022-29799 and CVE-2022-29800, that can allow local attackers to gain admin privileges on Linux machines to do anything from deploying malware to backdoors even ransomware.
Collectively tracked as Nimbuspwn, these vulnerabilities were disclosed in a report published on Wednesday. The discovery happened when researchers listened to the Linux System Bus messages, which made them look into the code flow for networkd-dispatcher. This component handles connection status changes.
Networkd-dispatcher review led to multiple security concerns, including directory traversal, symlink race and time-of-check-time-of-use race condition issues, which can be leveraged to escalate privileges to deploy malware or other malicious software. Fixes for the new vulnerabilities have been released by Clayton Craft, the maintainer of the networkd-dispatcher.
In the News: Critical VMware flaw exploited to install backdoors
Privilege escalation can cause headaches
The networkd-dispatcher daemon was running at boot with root privileges on the system; this further led the researchers to observe a method that the daemon called “run_hooks_for_state”, which was discovering and running scripts depending on the current network state.
According to Microsoft’s report, this method has several security issues, as mentioned above. These include:
- Directory Traversal (CVE-2022-29799): Since none of the functions in the program flow clean up the OperationalState or AdministrativeState, these states can be used to build a script patch, meaning a state containing directory traversal patterns can escape from the base directory (/etc/networkd-dispatcher).
- Time-of-check-time-of-use race condition (CVE-2022-29800): There’s a certain time difference between the discovered and run scripts. This difference can be leveraged by an attacker to replace scripts, tricking the program into running scripts that a root user with root privileges doesn’t own.
The two vulnerabilities can be used to let an attacker with local privileges run scripts and gain root access by sending arbitrary signals. Leveraging these vulnerabilities is possible only after the exploit code owns a bus name under a privileged service or process.
There are several different Linux environments where this is possible, most notably Linux Mint.