Microsoft has discovered Nimbuspwn — several security vulnerabilities that could allow an attacker to elevate privileges, deploy malware, or carry out other malicious activities.
According to Microsoft’s Jonathan Bar Or, the vulnerabilities were discovered by listening to messages on the System Bus — a method by which data is communicated between all the internal pieces of a computer — while performing code reviews and dynamic analysis on services that run as root. Researchers noticed an odd pattern in a system unit called networkd-dispatcher, a component in several Linux distributions that dispatch network status changes and run scripts to respond to a new status.
Multiple security concerns were immediately revealed during the review of the code flow. The vulnerabilities can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution. Moreover, the Nimbuspwn vulnerabilities could potentially be leveraged as a vector for root access by more sophisticated threats, such as malware or ransomware, to achieve greater impact on vulnerable devices.
Microsoft has shared the security vulnerabilities through the Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). The vulnerabilities, now identified as CVE-2022-29799 and CVE-2022-29800, have been patched in networkd-dispatcher. Currently, there aren’t any indications that the Nimbuspwn vulnerabilities have been exploited in the wild, says Mike Parkin, Senior Technical Engineer at Vulcan Cyber.
Nimbuspwn is another example of how threat actors have shifted attack vectors to open source and Linux-based exploits, says Bud Broomhead, CEO at Viakoo. By nature, this type of vulnerability is harder to remediate and often has an extended vulnerability period as traditional solutions for detection and remediation may not apply, Broomhead explains.
“Privilege escalation by exploiting Nimbuspwn requires urgent action; not only can this lead to remote code execution but also data exfiltration, planting of deepfakes, and distribution of ransomware,” he says.
In addition, as the number of vulnerabilities on Linux environments continues to grow, organizations should ensure they have a holistic view of their security posture to monitor and mitigate threats, such as Nimbuspwn. Organizations and their security leaders are encouraged to detect, manage, respond and remediate security vulnerabilities.