Microsoft Discovers Dual Linux Security Problems: Nimbuspwn

Who’d thought it? Microsoft, which has embraced Linux in recent years, is now finding and helping to fix Linux security holes. The biggest example of this is Microsoft’s recent discovery of CVE-2022-29799 and CVE-2022-29800. This pair of systemd networkd-dispatcher security bugs, named Nimbuspwn, can be chained together to gain root privileges on Linux systems.
I hate root-level vulnerabilities.
One good thing about this is that this is really not a Linux bug, but a systemd security problem. So Linux distros, such as the popular container distro, Alpine Linux, which don’t use systemd are immune to Nimbuspwn. Still, Canonical, Ubuntu Linux‘s parent company calls it a high-priority bug.
Networkd-dispatcher is a root-level dispatcher daemon for systemd-networkd connection status changes. It’s similar to NetworkManager-dispatcher but is much more limited in the types of events. It listens for signals from systemd-networkd over Desktop-Bus (D-Bus). This is an inter-process communication channel (IPC) mechanism that’s primarily used on the Linux desktop.
Microsoft on the Case
The Microsoft 365 Defender Research Team found the problems while listening to System Bus messages performing code reviews and dynamic analysis on services that run as root.
Why was Microsoft doing this? After all, Windows has enough security problems to keep Microsoft’s security teams busy for another generation or two. It’s because Microsoft has its own versions of Linux now, such as Windows Subsystem for Linux (WSL) 2.0, and Linux security programs such as Microsoft Defender for Endpoint on Linux server, which now includes endpoint detection and response (EDR) abilities. In short, securing Linux is now Microsoft’s business as well.
Specifically, the researchers found that D-Bus exposes a global System Bus. Networkd-dispatcher had several problems that could be used to cause trouble on the System Bus. This included a Directory traversal, CVE-2022-29799, a Symlink race, and a time-of-check-time-of-use (TOCTOU) race condition, CVE-2022-29800. Put them all together and this spells trouble.
Easy to Do
To pull Numbuspwn exploit off requires the exploit code can own the bus name. Unfortunately, while this sounds difficult there are several Linux environments where this can easily be pulled off. This includes the Debian desktop Linux family, several gpgv plugins (launched when apt-get installs or upgrades), and the Erlang Port Mapper Daemon (epmd). Part of the underlying problem seems to be that systemd installs the policy fragment /usr/share/dbus-1/system.d/org.freedesktop.network1.conf. This configuration file allowed processes running under the systemd-network user account to own the name.
After Microsoft discovered the problems, the researchers did the right thing. They informed the networkd-dispatcher maintainer Clayton Craft. Fixes for these vulnerabilities are now available.