CVE-2022-29799 and CVE-2022-29800 Detection: Novel Privilege Escalation Vulnerabilities in Linux OS Known as Nimbuspwn
- Forest Blizzard aka Fancy Bear Attack Detection: russian-backed Hackers Apply a Custom GooseEgg Tool to Exploit CVE-2022-38028 in Attacks Against Ukraine, Western Europe, and North America - 24.04.2024
- UAC-0133 (Sandworm) Attack Detection: russia-Linked Hackers Aim to Cripple the Information and Communication Systems of 20 Critical Infrastructure Organizations Across Ukraine - 23.04.2024
- Akira Ransomware Detection: Joint Cybersecurity Advisory (CSA) AA24-109A Highlights Attacks Targeting Businesses and Critical Infrastructure in North America, Europe, and Australia - 19.04.2024
Table of contents:
On April 26, Microsoft 365 Defender Research Team discovered a couple of novel vulnerabilities collectively dubbed Nimbuspwn, enabling adversaries to escalate privileges on multiple Linux desktop environments. The newly detected Nimbuspwn flaws have been identified as CVE-2022-29799 and CVE-2022-29800.
Once chained together, these flaws give hackers the green light to obtain root privileges, lead to deploying payloads, and further compromise the Linux systems via arbitrary root code execution. In addition, the potentially malicious activity can be escalated via these novel Nimbuspwn vulnerabilities, exposing compromised Linux environments to more advanced threats, including ransomware attacks.Ā
CVE-2022-29799 and CVE-2022-29800 Detection: Nimbuspwn
To provide visibility into threats related to the recently uncovered Nimbuspwn vulnerabilities tracked as CVE-2022-29799 and CVE-2022-29800, the SOC Prime Team has delivered a dedicated Sigma rule available in the SOC Primeās platform. Security practitioners are prompted to register for the platform or log in with the existing credentials to reach this rule:
Possible Nimbuspwn LPE Activity (via process_creation)
This detection can be used across 20 SIEM, EDR, and XDR solutions and is aligned with the latest MITRE ATT&CKĀ® framework version for improved visibility into adversary TTPs, addressing the Privilege Escalation tactic and the corresponding Exploitation for Privilege Escalation technique (T1068).
To keep SIEMs and other security solutions in use constantly updated on the near real-time SOC content, teams are welcome to explore the comprehensive detection stack available in the SOC Primeās platform by clicking the View Detections button. For those cybersecurity enthusiasts who are striving to reinforce the cyber defense potential through contribution to a crowdsourcing initiative, joining Threat Bounty Program can be a great jumping-off point to evolve threat hunting and content development skills and collaborate for a safer digital future.Ā
View Detections Join Threat Bounty
Nimbuspwn Overview
As per an inquiry by Microsoft, researchers revealed a batch of security gaps while inspecting a systemd component dubbed networkd-dispatcher within a popular D-Bus inter-process communication channel (IPC) mechanism. Particularly, they identified a directory traversal issue (CVE-2022-29799) as well as symlink race and time-of-chek to time-of-use flaws (CVE-2022-29800) that could be chained to acquire root privileges on Linux systems and execute backdoors in the compromised environments.
To mitigate the potential threats associated with Nimbuspwn vulnerabilities exploitation attempts, networkd-dispatcher users are prompted to update their instances to the latest software versions. Moreover, progressive organizations striving to improve their cybersecurity posture should take measures to constantly monitor their environments due to the high risks of emerging flaws discovered on Linux systems.Ā
Implementing a proactive vulnerability management approach can help organizations timely reveal and mitigate threats and exploits that were unknown earlier. Leveraging SOC Primeās Detection as Code platform enables teams to detect threats at the earliest stages of attack lifecycle while continuously accelerating cyber defense capabilities.
