- Linux safety supervision allows rootkits to omit business security solutions and stealing
- It was found in the Kernel interface IO_uren
- The researchers built a POC, now available in Github
Armo cybersecurity researchers recently discovered a Linux security supervision that allows Rootkits to avoid business safety solutions and functionally function at the affected final points.
Supervision occurs because the core interface ‘IO_URING’ is being ignored by security monitoring tools. Built as a faster and more efficient way for Linux systems to talk to storage devices, IO_URING helps modern computers to handle a lot of information without bogging. It was introduced in 2019, with the launch of Linux 5.1.
Apparently, most safety tools look for shaded Syscalls and hook the white completely ignoring anything that involves io_uring. Since the interface admits numerous operations through 61 types of PAHO, creates a dangerous blind spot that can be exploited for malicious purposes. Among other things, compatible operations include readings/writings, create and accept network connections, modify file permissions and more.
According to Bleepingcomuter, the risk is so large that Google turned it off by default on both Android and Chromeos, which use the Linux nucleus.
Second increase
To demonstrate the fault, Armo built a concept proof of concept (POC) called “Curado”. You can extract instructions from a remote server and execute arbitrary commands without activating Syscall hooks. Then they tried it against popular execution time security tools and determined that most of them could not detect it.
The researchers claim that Falco was completely oblivious to the cure, while Tetragon could not mark it under predetermined configurations. However, the latter developers told researchers that they do not consider the vulnerable platform since monitoring can be enabled to detect the rootkit.
“We informed this to Tetragon’s team and his response was that from his perspective Tetragon is not” vulnerable “, since they provide flexibility to basically hook anywhere,” they said. “They pointed out a good blog post they wrote on the subject.”
Armo also said they tested the tool against unidentified commercial programs and confirmed that no malware was detected that abuse IO_URING. The cure is now available for free in Github.
Through Bleepingcomputer
