- Safety monitoring in Linux allows Rootkits to bypass business security solutions and run stealth
- It was found in the Io_Uring nucleus interface
- Researchers have built a POC, now available on GitHub
Armo cybersecurity researchers have recently discovered safety monitoring in Linux which allows Rootkits to bypass business safety solutions and run affected termination criteria.
Surveillance occurs because the “IO__Uring” nucleus interface is ignored by safety monitoring tools. Built as a faster and more effective way for Linux systems to speak to storage devices, Io_Uring helps modern computers manage many information without being bother. It was introduced in 2019, with the release of Linux 5.1.
Apparently, most of the safety tools are looking for shaded systems and hang white by completely ignoring everything that involves io_Uring. Since the interface supports many operations through 61 types of ops, it creates a dangerous dead point which can be exploited for malicious purposes. Among other things, supported operations include reading / entries, creation and acceptance of network connections, modification of file authorizations, etc.
According to BleepingCompute, the risk is so large that Google has disabled it by default to Android and Chromeos, which uses the Linux nucleus.
Second increase
To demonstrate the defect, Armo has built a concept proof rootkit (POC) called “hardening”. He can extract instructions from a remote server and execute arbitrary orders without triggering SYSCALL hooks. They then tested it against popular safety tools and determined that most of them could not detect it.
The researchers claim that Falco was completely unconscious of hardening, while Tetragon could not report it under default configurations. However, the latter’s developers told researchers that they did not consider the vulnerable platform because surveillance can be made to detect rootkit.
“We reported this to the Tetragon team and their answer was only from their point of view, the tetragon is not” vulnerable “because they offer the flexibility to hang essentially anywhere,” they said. “They highlighted a good blog article they wrote on the subject.”
Armo also said that they had tested the tool against the nameless and confirmed commercial programs that malware in IO_Urage abuse was not detected. Hardening is now available for free on Github.
Via Bleeping Compompute
