How Nimbuspwn Exploits systemd’s networkd-dispatcher for Root Access

Microsoft researchers disclosed a Linux privilege‑escalation vulnerability dubbed Nimbuspwn, found in the networkd-dispatcher component of systemd, which is present in many Linux distributions and runs with root privileges.

The component schedules network‑state changes and executes scripts based on the new state. During code review, Microsoft identified the function _run_hooks_for_state that obtains a script list via get_script_list, sorts it, and runs each script with subprocess.Popen under a custom environment.

Researchers determined that _run_hooks_for_state contains three distinct flaws: a directory‑traversal issue, a symlink‑race condition, and a time‑of‑check‑to‑time‑of‑use (TOCTOU) race. An attacker can exploit these to replace legitimate root‑owned scripts with malicious ones, achieving privilege escalation or deploying malware.

Microsoft’s Jonathan Bar Or illustrated the TOCTOU risk, noting that the gap between script discovery and execution allows an attacker to swap the script before it runs.

Vulnerability fixed

After the disclosure, the maintainer Clayton Craft was notified and released networkd-dispatcher 2.2 three weeks later, which patches the identified issues.

Security‑industry experts, such as Viakoo CEO Bud Broomhead, emphasized that patching Nimbuspwn is challenging because the vulnerability spans over 600 Linux distributions, requiring coordinated updates across many packages.

Bar Or concluded that collaborative, cross‑industry research is essential for quickly mitigating such complex security problems.