- A security supervision in Linux allows Rodkits to bypass the company’s security solutions and run Stealthily
- It was found in io_uring Kernel -Interface
- Researchers built a POC now available on GitHub
CyberSecurity scientists from Armo recently discovered a security supervision in Linux that allows Rodkits to bypass business security solutions and run stealthily on affected final points.
Authority happens because ‘io_uring’ core interface is ignored by safety monitoring tools. Built as a faster, more effective way for Linux systems to talk to storage devices, helping io_uring modern computers to handle lots of information without being spoiled. It was introduced back in 2019 with the release of Linux 5.1.
Apparently, most safety tools look for shady syscalls and connect White that completely ignores something involving io_uring. As the interface supports several operations through 61 OPS types, it creates a dangerous blind spot that can be utilized for malicious purposes. Among other things, the supported operations include reading/writing, creating and accepting network connections, changing files and more.
According to the diaper computer, the risk is so great that Google turned off by default in both the Android and Chromeos using the Linux core.
Other increase
To demonstrate the error, Armo built a proof-of-concept (POC) rootkit called “curing”. It can draw instructions from a remote server and run arbitrary commands without triggering Syscall hooks. They then tested it against popular Runtime security tools and determined that most of them couldn’t discover it.
The researchers claim that Falco was completely unaware of healing, while Tetragon could not mark it under standard configurations. However, the latter DEVS told the researchers that they do not consider the platform vulnerable as surveillance may be able to detect rootkit.
“We reported this to the Tetragon team, and their answer was that from their perspective tetragon is not” vulnerable, “as they give the flexibility to connect basically everywhere,” they said. “They pointed out a good blog post they wrote on the subject.”
Armo also said they tested the tool against named commercial programs and confirmed that io_uring-abused malware was not discovered. Curing is now available for free on GitHub.
Via Bleeping computer
