Microsoft Discovers New Vulnerabilities
Microsoft has discovered several vulnerabilities, collectively referred to as Nimbuspwn, that could allow an attacker to elevate privileges to root on many Linux desktop endpoints.
Microsoft issued an alert on the vulnerabilities.
The vulnerabilities can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution. Moreover, the Nimbuspwn vulnerabilities could potentially be leveraged as a vector for root access by more sophisticated threats, such as malware or ransomware, to achieve greater impact on vulnerable devices.
The patches for these vulnerabilities have been deployed, Microsoft said.
“Users of Network Dispatcher are encouraged to update their instances,” said Jonathan Bar Or of the Microsoft 365 defender research team.
Bud Broomhead is CEO of Viakoo, a provider of automated IoT cyber hygiene.
“Nimbuspwn is another example of how threat actors have shifted attack vectors to open source and Linux-based exploits,” he said. “By their nature they are harder to remediate and often have an extended vulnerability period because traditional solutions for detection and remediation may not apply, and because there are multiple Linux distributions (over 600) there [with] many patches needing to be applied.”
Privilege escalation by exploiting Nimbuspwn requires urgent action, Broomhead said. Not only can this lead to remote code execution but also data exfiltration, planting of deepfakes and distribution of ransomware.
“This highlights how current mechanisms around identity and access management can be thwarted by threat actors, which should be a push to organizations to extend their zero trust initiatives to all devices, including Linux and IoT systems,” he said.
Mike Parkin is senior technical engineer at Vulcan Cyber.
“Any vulnerability that potentially gives an attacker root-level access is problematic,” he said. “Fortunately, as is common with many open-source projects, patches for this new vulnerability were quickly released. While susceptible configurations aren’t uncommon, exploiting these vulnerabilities appears to require a local account and there are multiple ways to mitigate them beyond the recommended patching. There is currently no indication that these vulnerabilities have been exploited in the wild.”