October 4, 2023

The Microsoft 365 Defender Research Team has discovered two Linux privilege escalation flaws tracked as CVE-2022-29799 and CVE-2022-29800 dubbed as Nimbuspwn, which can be exploited by attackers to conduct various malicious activities, including the deployment of malware.

The vulnerabilities can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution.

Microsoft Advisory

This can be exploited by attackers to achieve root access to the target systems and deploy by more sophisticated threats, such as ransomware.


Originally resides in the systemd component called networked-dispatcher, which is dispatcher daemon for systemd-networkd connection status changes.

The review of the code flow for networkd-dispatcher revealed multiple security issues, such as directory traversal, symlink race, time-of-check-time-of-use race condition issues.

By enumerating services that run as root and listen to messages on the System Bus, researhers performed both code reviews and dynamic analysis.

By combining these issues, an attacker in control of a rogue D-Bus service that can send an arbitrary signal, can deploy backdoors on the compromised final touches.

The researchers were able to develop their own exploit that runs an arbitrary script as root. The exploit also copies /bin/sh to the /tmp directory, sets /tmp/sh as a Set-UID (SUID) executable, and then invokes “/tmp/sh -p”. (the “-p” flag is necessary to force the shell to not drop privileges)


Users are recommended to update the networkd-dispatcher installer packages

Microsoft Defender for Endpoint’s  EDR capabilities detect the directory traversal attack required to leverage Nimbuspwn.

Leave a Reply

%d bloggers like this: