Researchers at Microsoft have documented a family of vulnerabilities that affect Linux systems, dubbed Nimbuspwn.  These vulnerabilities can be chained together in order to gain root privileges on Linux systems allowing attackers to install malware and access all data on the server.

The vulnerabilities in the networkd-dispatcher are tracked as CVE-2022-29799 and CVE-2022-29800.   Networkd-dispatcher runs as root and can invoke scripts when monitored components enter specific states.  By exploiting a path traversal vulnerability (CVE-2022-29799), the networkd-dispatcher daemon can be tricked into running scripts planted by the attacker.  While the daemon contains a validation that the scripts it is about to run are owned by root, a time-of-check-time-of-use (TOCTOU) race condition (CVE-2022-29800) can be exploited to replace the validated script with one controlled by the attacker causing it to be executed as root by the daemon.

This is an interesting example of how vulnerabilities can be chained together in order to produce a more powerful and dangerous exploit.

A detailed analysis of the vulnerability and how it was discovered is documented in the blog post from Microsoft’s 365 Defender Research Team.

While the networkd-dispatcher has been patched by its maintainer, check with your Linux distro maintainer to see if the patch has filtered through yet.