In this week’s security digest, we’ll discuss a Linux privilege escalation issue discovered by Microsoft and vulnerabilities related to Rancher and Redis.
Privilege Escalation in Linux, Nimbuspwn
The Microsoft 365 Defender Research team has discovered several vulnerabilities collectively called Nimbuspwn. The vulnerabilities can be chained together to gain root privileges on a Linux system. The Microsoft researchers were reviewing the code flow and performing dynamic analysis on services that run as root, when they discovered the vulnerabilities in networkd-dispatcher, a dispatcher daemon for systemd-networkd connection status changes.
Among the vulnerabilities, a directory traversal vulnerability is reserved as CVE-2022-29799, and a time-of-check to time-of-use (TOCTOU) race condition is reserved as CVE-2022-29800 on MITRE. The vulnerabilities are still under ongoing analysis and a severity rating has not been assigned. The fixes have been deployed by Clayton Craft, the maintainer of the networkd-dispatcher. The researchers also reported related vulnerabilities in Blueman and PackageKit that lead to directory information disclosure.
The directory traversal vulnerability arises because none of the functions sanitize the OperationalState or the AdministrativeState states. The TOCTOU vulnerability was introduced because there is a time delay between the scripts being discovered and run. An attacker can take advantage of this delay by replacing the scripts networkd-dispatcher considers to be owned by root.
The Microsoft researchers explain the exploitation methodology and code flow in depth in the Nimbuspwn post on their blog.
Exposure of SSH Credentials in Rancher/Fleet
A security vulnerability was identified by Dagan Hendereson from Raft Engineering in Hashicorp’s go-getter library. Library versions prior to 1.5.11 are affected and affect applications like Rancher and Fleet that rely on this library. The vulnerability exposes SSH private keys in base64 format because of missing controls to redact such sensitive information. However, this vulnerability only affects customers using Fleet for continuous delivery with authenticated Git and/or repositories, according to this advisory. Apart from the Fleet and Rancher, applications using the vulnerable version could be affected as well. The Hashicorp go-getter library is used for downloading files or directories from sources using a URL as the primary form of input.
The patches for Rancher are released for versions 2.513, 2.6.4 and later. The article also mentioned there are no workarounds to mitigate this vulnerability besides upgrading to the patched versions. It’s recommended that until the upgrade is complete, access should be limited to trusted users and also to carefully validate that the URLs that are being used are correct. SSH keys should be rotated immediately, if they have been exposed.
Manipulation of Lua Scripts to Overcome ACL rules
A security vulnerability in Redis was reported by Aviv Yahav. The vulnerability grants an adversary the ability to inject Lua code by exploiting a weakness in the Lua script execution environment. This can lead to execution of injected code by another Redis user potentially with higher privileges. This vulnerability affects all versions prior to 7.0.0 and 6.2.7. This vulnerability has been classified as CWE-94 – Improper Control of Generation of Code (Code Injection) and has the CVE ID – CVE-2022-24735. Since user interaction is potentially required and the impact to confidentiality and integrity is low, the CVSS score is set at 3.9/10 marking this a low severity issue.
A temporary workaround to mitigate this vulnerability without patching is to block access to SCRIPT LOAD and EVAL commands using ACL rules that were introduced in Redis version 6.0 and higher as described in the advisory.