CVE-2022-29799 Overview
CVE-2022-29799 is a directory traversal vulnerability discovered in networkd-dispatcher, a component used on Linux systems. This flaw exists because the OperationalState and AdministrativeState functions within networkd-dispatcher fail to properly sanitize input, allowing attackers to escape from the /etc/networkd-dispatcher base directory. This vulnerability, part of a chain dubbed "Nimbuspwn" by Microsoft researchers, can be leveraged for privilege escalation on affected Linux systems.
Critical Impact
Attackers with local access can exploit this directory traversal vulnerability to escape the intended directory structure, potentially leading to unauthorized file access and privilege escalation when chained with related vulnerabilities.
Affected Products
- Microsoft Windows Defender for Endpoint (Linux)
- networkd-dispatcher on Linux systems
Discovery Timeline
- 2022-04-26 - Microsoft publishes security blog post on Nimbuspwn vulnerabilities
- 2022-09-21 - CVE-2022-29799 published to NVD
- 2025-05-27 - Last updated in NVD database
Technical Details for CVE-2022-29799
Vulnerability Analysis
CVE-2022-29799 is a classic directory traversal vulnerability (CWE-22) affecting the networkd-dispatcher service on Linux systems. The vulnerability allows local attackers to break out of the restricted /etc/networkd-dispatcher directory by manipulating the OperationalState or AdministrativeState parameters that are passed to the dispatcher.
The networkd-dispatcher service runs as root and is designed to execute scripts based on network state changes. When a network state change occurs, the service constructs file paths using the state values without proper sanitization. An attacker can inject path traversal sequences such as ../ into these state values, causing the service to access files outside the intended directory hierarchy.
This vulnerability is particularly significant as it forms part of the "Nimbuspwn" vulnerability chain. When combined with CVE-2022-29800 (a symlink race condition), attackers can achieve full root privilege escalation on vulnerable Linux systems.
Root Cause
The root cause lies in the lack of input validation and sanitization in networkd-dispatcher when handling the OperationalState and AdministrativeState values. The service directly uses these values to construct file paths without verifying that they do not contain path traversal characters or sequences. This allows malicious actors to craft state values containing sequences like ../ to navigate outside the intended directory structure.
Attack Vector
The attack requires local access to the target system. An attacker with low privileges can exploit this vulnerability by manipulating D-Bus messages sent to the networkd-dispatcher service. By crafting malicious state values containing directory traversal sequences, the attacker can cause the dispatcher to access or execute files from arbitrary locations on the filesystem.
The vulnerability is exploited through the D-Bus interface where network state changes are communicated. Since networkd-dispatcher runs with root privileges, successfully escaping the base directory can lead to significant security implications, especially when combined with other vulnerabilities in the Nimbuspwn chain.
Detection Methods for CVE-2022-29799
Indicators of Compromise
- Unusual D-Bus messages targeting the networkd-dispatcher service with suspicious state values containing ../ sequences
- Unexpected file access patterns in directories outside /etc/networkd-dispatcher
- Anomalous process execution by networkd-dispatcher accessing files in non-standard locations
- System logs showing path traversal patterns in networkd-dispatcher related entries
Detection Strategies
- Monitor D-Bus traffic for messages to networkd-dispatcher containing path traversal sequences
- Implement file integrity monitoring on critical system directories to detect unauthorized access
- Deploy endpoint detection solutions capable of identifying privilege escalation attempts on Linux systems
- Review system logs for networkd-dispatcher activity indicating directory traversal attempts
Monitoring Recommendations
- Enable detailed logging for networkd-dispatcher and D-Bus services
- Configure security monitoring tools to alert on path traversal patterns in process arguments
- Monitor for unexpected script executions by the networkd-dispatcher service
- Implement auditd rules to track file access outside expected networkd-dispatcher directories
How to Mitigate CVE-2022-29799
Immediate Actions Required
- Update networkd-dispatcher to the latest patched version available from your Linux distribution
- Review systems running Microsoft Defender for Endpoint on Linux and apply relevant updates
- Consider disabling networkd-dispatcher if not required in your environment
- Restrict D-Bus access to the networkd-dispatcher service where possible
Patch Information
Microsoft documented this vulnerability as part of the Nimbuspwn research. Organizations should apply security updates from their Linux distribution vendors that address CVE-2022-29799. The vulnerability has been addressed in updated versions of networkd-dispatcher. Refer to the Microsoft security blog post for detailed information on the vulnerability discovery and recommended mitigations.
Workarounds
- Disable the networkd-dispatcher service if it is not required for your network management needs
- Implement AppArmor or SELinux policies to restrict networkd-dispatcher file access to the intended directory
- Restrict D-Bus communication with the networkd-dispatcher service to authorized system components only
- Monitor and audit all networkd-dispatcher activity until patches can be applied
# Disable networkd-dispatcher if not needed
sudo systemctl stop networkd-dispatcher
sudo systemctl disable networkd-dispatcher
# Verify the service is disabled
sudo systemctl status networkd-dispatcher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
