Microsoft discovers ‘several’ vulnerabilities affecting Linux desktop endpoints

Several vulnerabilities giving an attacker the ability to exploit Linux desktop endpoints were discovered by Microsoft researchers this week. 

In a blog on Tuesday, Microsoft 365 Defender Research Team’s Jonathan Bar Or said the vulnerabilities – known collectively as Nimbuspwn – can be “chained together” and used to “deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution.” 

“Moreover, the Nimbuspwn vulnerabilities could potentially be leveraged as a vector for root access by more sophisticated threats, such as malware or ransomware, to achieve greater impact on vulnerable devices,” Or said. “Fixes for these vulnerabilities, now identified as CVE-2022-29799 and CVE-2022-29800, have been successfully deployed by the maintainer of the networkd-dispatcher, Clayton Craft. Users of networkd-dispatcher are encouraged to update their instances.”

Microsoft researchers discovered the issues while performing code reviews and dynamic analysis on services that run as root.

Microsoft discovered vulnerabilities, collectively referred to as Nimbuspwn, that can be chained together to gain root privileges on Linux systems, allowing attackers to potentially deploy payloads on vulnerable devices. Read our blog via @yo_yo_yo_jbo:https://t.co/QqPP0UgtQD

— Microsoft Security Intelligence (@MsftSecIntel) April 26, 2022

The issues revolve around D-Bus, short for “Desktop-Bus,” which was developed by the freedesktop.org project and serves as an “inter-process communication channel (IPC) mechanism”

D-Bus allows processes on the same endpoint to communicate by transmitting messages and responding to them, according to Or.

"This is an interesting set of vulnerabilities affecting Linux desktop users. The risk footprint could be broad: Linux desktops aren’t just for hobbyists, tens of thousands of Google employees use a derivative of Debian as their desktop OS, and there are a number of other notable corporate, government, and research facilities that have large Linux desktop deployments," BluBracket's Casey Bisson said.

"A privilege escalation attack against this user base could be used for espionage or as part of a chained attack to gain control over additional resources."

Vulcan Cyber’s Mike Parkin told The Record there is no indication that the vulnerabilities have been exploited in the wild and that exploiting these vulnerabilities appears to require a local account.

He noted that there are multiple ways to mitigate them beyond the recommended patching.

Other experts, like Viakoo CEO Bud Broomhead, said Nimbuspwn is another example of threat actors shifting attack vectors to open source and Linux-based exploits.

“By their nature they are harder to remediate and often have an extended vulnerability period because traditional solutions for detection and remediation may not apply, and because there are multiple Linux distributions (over 600) there may equally be many patches needing to be applied,” Broomhead said. 

“Privilege escalation by exploiting Nimbuspwn requires urgent action; not only can this lead to remote code execution but also data exfiltration, planting of deepfakes, and distribution of ransomware.”

Netenrich principal threat hunter John Bambenek explained that most Debian-based Linux distributions use the configuration highlighted in Microsoft's blog by default but noted that it requires an attacker to have shell access on the machine already.

“This seems to be a pretty prevalent issue,” Bambenek said. “This is a solid find by Microsoft made more interesting by the fact that the Linux aspects included in Microsoft wouldn’t include this.”