On April 26, Microsoft 365 Defender Research Team discovered a couple of novel vulnerabilities collectively dubbed Nimbuspwn, enabling adversaries to escalate privileges on multiple Linux desktop environments. The newly detected Nimbuspwn flaws have been identified as CVE-2022-29799 and CVE-2022-29800.

Once chained together, these flaws give hackers the green light to obtain root privileges, lead to deploying payloads, and further compromise the Linux systems via arbitrary root code execution. In addition, the potentially malicious activity can be escalated via these novel Nimbuspwn vulnerabilities, exposing compromised Linux environments to more advanced threats, including ransomware attacks. 

CVE-2022-29799 and CVE-2022-29800 Detection: Nimbuspwn

To provide visibility into threats related to the recently uncovered Nimbuspwn vulnerabilities tracked as CVE-2022-29799 and CVE-2022-29800, the SOC Prime Team has delivered a dedicated Sigma rule available in the SOC Prime’s platform. Security practitioners are prompted to register for the platform or log in with the existing credentials to reach this rule:

Possible Nimbuspwn LPE Activity (via process_creation)

This detection can be used across 20 SIEM, EDR, and XDR solutions and is aligned with the latest MITRE ATT&CK® framework version for improved visibility into adversary TTPs, addressing the Privilege Escalation tactic and the corresponding Exploitation for Privilege Escalation technique (T1068).

To keep SIEMs and other security solutions in use constantly updated on the near real-time SOC content, teams are welcome to explore the comprehensive detection stack available in the SOC Prime’s platform by clicking the View Detections button. For those cybersecurity enthusiasts who are striving to reinforce the cyber defense potential through contribution to a crowdsourcing initiative, joining Threat Bounty Program can be a great jumping-off point to evolve threat hunting and content development skills and collaborate for a safer digital future. 

View Detections Join Threat Bounty

Nimbuspwn Overview

As per an inquiry by Microsoft, researchers revealed a batch of security gaps while inspecting a systemd component dubbed networkd-dispatcher within a popular D-Bus inter-process communication channel (IPC) mechanism. Particularly, they identified a directory traversal issue (CVE-2022-29799) as well as symlink race and time-of-chek to time-of-use flaws (CVE-2022-29800) that could be chained to acquire root privileges on Linux systems and execute backdoors in the compromised environments.

To mitigate the potential threats associated with Nimbuspwn vulnerabilities exploitation attempts, networkd-dispatcher users are prompted to update their instances to the latest software versions. Moreover, progressive organizations striving to improve their cybersecurity posture should take measures to constantly monitor their environments due to the high risks of emerging flaws discovered on Linux systems. 

Implementing a proactive vulnerability management approach can help organizations timely reveal and mitigate threats and exploits that were unknown earlier. Leveraging SOC Prime’s Detection as Code platform enables teams to detect threats at the earliest stages of attack lifecycle while continuously accelerating cyber defense capabilities.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts