Previous
Learn how PurpleSec’s experts can protect your business against the latest cyber attacks.
Author: Dalibor Gašić / Last Updated: 7/01/2022
Reviewed By: Michael Swanagan, CISSP, CISA, CISM
View Our: Editorial Process
Table Of Contents
In April 2022, Microsoft 365 Defender Research team discovered a vulnerability named Nimbuspwn, where an attacker can gain escalation of privilege from local users with low capabilities to root access on multiple Linux desktop environments.
The “Nimbuspwn” vulnerability is recorded as CVE-2022-29799 (Directory Traversal) and CVE-2022-29800 (TOCTOU race conditions).
When these two vulnerabilities are linked together, they give the attacker root privileges and from there he can deploy other payloads, compromising Linux systems via arbitrary root code execution and potentially exposing compromised Linux environments to more advanced threats, including ransomware attacks to achieve greater impact on vulnerable devices.
According to research by the Microsoft Team, the vulnerability was found in networkd-dispatcher versions v2.0-2 and v2.1-2. For those who don’t know, this service is responsible for systemd-networkd connection status changes.
It is similar to NetworkManager-dispatcher, but is much more limited in the types of events it supports due to the limited nature of systemd-networkd.
Reference: Detailed explanation for networkd-dispatcher.
With these simple commands, we can check on our Linux distribution whether this service exists and whether it is enabled, as well as which version it is.
This command is enough to see the version information.
This command will give your comprehensive information about the package.
In this image, we can see an example of a vulnerable server as it’s running v.2.1-2.
How PurpleSec Helps To Secure Your Organization
Our vulnerability management services and penetration testing services provide a holistic approach to securing what’s most important to you.
In case you have enabled service networkd-dispatcher with a vulnerable version on your Linux Distribution, we can recommend have few steps to fix this flaw:
There are a few commands that we can use to update our system repositories:
You need to upgrade your service if it is installed and enabled:
You can always remove this service if there is no fixed version:
Additional Resources:
Microsoft also recommends implementing a “proactive vulnerability management approach” that identifies and mitigates previously unknown vulnerabilities.
It is also recommended to install endpoint security solutions capable of detecting the directory traversal vulnerability required to complete the Nimbuspwn attack chain.
Related Articles:
Dalibor is a Senior Security Engineer with experience in penetration testing having recently served over 8 years in the Ministry of Internal Affairs in the Department of Cyber Security in Serbia.