Bug 2080001 (CVE-2022-29800) - CVE-2022-29800 networkd-dispatcher: Time-of-check-time-of-use (TOCTOU) race condition
Summary: CVE-2022-29800 networkd-dispatcher: Time-of-check-time-of-use (TOCTOU) race c...
Status: NEW
Alias: CVE-2022-29800
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 2080002
TreeView+ depends on / blocked
Reported: 2022-04-28 17:17 UTC by Pedro Sampaio
Modified: 2022-05-03 08:56 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A time-of-check-time-of-use (TOCTOU) race condition vulnerability found in networkd-dispatcher. This flaw exists because there is a certain time between the scripts being discovered and them being run. An attacker can abuse this vulnerability to replace scripts that networkd-dispatcher believes to be owned by root with ones that are not.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Pedro Sampaio 2022-04-28 17:17:28 UTC
Microsoft has discovered several vulnerabilities, collectively referred to as Nimbuspwn, that could allow an attacker to elevate privileges to root on many Linux desktop endpoints. The vulnerabilities can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution. Moreover, the Nimbuspwn vulnerabilities could potentially be leveraged as a vector for root access by more sophisticated threats, such as malware or ransomware, to achieve greater impact on vulnerable devices.

The vulnerabilities were found in the systemd unit networkd-dispatcher:

- CVE-2022-29799: directory traversal
- CVE-2022-29800: time-of-check-time-of-use (TOCTOU) race condition
- symlink race condition


[0] https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/

Note You need to log in before you can comment on or make changes to this bug.