Microsoft points at Linux and shouts: Look, look! Privilege-escalation flaws here, too!
Will Redmond start code-naming Windows make-me-admin bugs?
Flaws in networkd-dispatcher, a service used in some parts of the Linux world, can be exploited by a rogue logged-in user or application to escalate their privileges to root level, allowing the box to be commandeered, Microsoft researchers said Wednnesday.
It's nice of Redmond to point out these flaws and have them fixed in any affected distributions; the US tech giant is a big user of Linux and relies on the open-source OS throughout its empire. It's just a little perplexing the biz went to all the effort of a big write-up and giving the flaws a catchy name, Nimbuspwn, when countless privilege-elevation holes are fixed in the Windows operating system each month, and we can't recall Microsoft lately making this much of a song and dance over them.
"The growing number of vulnerabilities on Linux environments emphasize the need for strong monitoring of the platform's operating system and its components," wrote Jonathan Bar Or of the Microsoft 365 Defender Research Team, which, again, is perhaps a bit rich for the Windows goliath to bring up.
It's not that Linux doesn't have security vulnerabilities – it has plenty, and they ought to be publicized – it's just that glasshouses and stones come to mind. If you're using a vulnerable Linux distro, grab its latest updates to patch the flaw. It appears networkd-dispatcher was updated three weeks ago, to version 2.2, to close the holes.
Microsoft said it spotted the vulnerabilities – now tracked as CVE-2022-29799 and CVE-2022-29800 – while performing code reviews and dynamic analysis on services that run as root. We're told that analysts noticed an "odd pattern" in networkd-dispatcher, an open-source tool that can be used to detect and act on connection status changes.
The security weaknesses uncovered in the review included insecure directory traversal, symlink races, and time-of-check-time-of-use race conditions, which can be exploited to elevate one's privileges, allowing them to deploy malware or perform other malicious activities through arbitrary root code execution.
"Moreover, the Nimbuspwn vulnerabilities could potentially be leveraged as a vector for root access by more sophisticated threats, such as malware or ransomware, to achieve greater impact on vulnerable devices," Bar Or wrote.
All three vulnerabilities were found by following the flow of execution to a _run_hooks_for_state method, which is responsible for finding and running scripts. With the time-of-check-time-of-use race condition, "there is a certain time between the scripts being discovered and them being run," he wrote. "An attacker can abuse this vulnerability to replace scripts that networkd-dispatcher believes to be owned by root to ones that are not."
Microsoft said it also found minor info-leaking bugs in Blueman and PackageKit on Linux.
According to Casey Bisson, head of product and developer relations at code security vendor BluBracket, these privilege-escalation holes could be useful for miscreants seeking to gain a stronger foothold in a Linux-dependent organization so that espionage or extortionware activities can be carried out.
"This is an interesting set of vulnerabilities affecting Linux desktop users," Bisson told The Register. "The risk footprint could be broad. Linux desktops aren't just for hobbyists. Tens of thousands of Google employees use a derivative of Debian as their desktop OS, and there are a number of other notable corporate, government and research facilities that have large Linux desktop deployments."
- AWS's Log4j patches blew holes in its own security
- Attackers exploit Spring4Shell flaw to let loose the Mirai botnet
- FBI: BlackCat ransomware scratched 60-plus orgs
- Microsoft ups bug bounties 30% for cloud lines, pays more for 'scenario-based' exploits
Open-source software continues to be a target of spies and crooks looking to exploit vulnerabilities. The high-profile flaw found in the Log4j library late last year continues to be abused, and more recently fiends have looked to leverage the Spring4Shell vulnerability in the Spring Framework.
Bud Broomhead, CEO of cybersecurity firm Viakoo, told The Register bugs like Nimbuspwn require action not just by users to fetch and install patches, but also distribution managers to spot fixes and push out updates in the first place. "By their nature they are harder to remediate and often have an extended vulnerability period because traditional solutions for detection and remediation may not apply, and because there are multiple Linux distributions – over 600 – there may equally be many patches needing to be applied," Broomhead said.
Bar Or wrote that networkd-dispatcher's maintainer Clayton Craft was notified of the holes and fixes were released; these should be filtering their way down to endpoints as they update their packages.
"Defending against the evolving threat landscape requires the ability to protect and secure users' computing experiences, be it a Windows or non-Windows device," Bar Or opined. "This case displayed how the ability to coordinate such research via expert, cross-industry collaboration is vital to effectively mitigate issues, regardless of the vulnerable device or platform in use." ®