Linux io_uring Security Blind Spot Let Attackers Stealthily Deploy Rootkits
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A critical vulnerability exists in Linux’s security framework, revealing that many runtime security tools struggle to detect threats operating via the io_uring interface.
This discovery exposes a critical gap in protection for Linux-based systems across cloud environments and data centers worldwide.
The research team at ARMO has demonstrated that popular security solutions are effectively “blind” to malicious activities performed via io_uring, an asynchronous I/O mechanism introduced in Linux 5.1 that allows applications to bypass traditional system calls.
This vulnerability affects nearly all commercial Linux runtime security tools that rely on system call monitoring for threat detection.
“We decided to create Curing and release it publicly… to raise awareness about io_uring as an overlooked mechanism that attackers can exploit,” ARMO researchers stated in their report.
Despite io_uring being available for years and previously identified as potentially problematic, security vendors have largely failed to address this gap in their monitoring capabilities.
Proof-of-Concept & Real-World Threat
To prove the significance of this vulnerability, ARMO developed “Curing,” a fully functional rootkit that operates exclusively through io_uring operations.
This proof-of-concept malware can establish command and control communications, access sensitive files, and execute malicious commands while remaining undetected by standard security solutions.
Researchers found alarming results when testing major security products against their rootkits.
Similarly, Microsoft Defender for Endpoint on Linux missed multiple attack indicators, including malware drops and suspicious network connections.
According to a senior vice president at one of the top cybersecurity companies quoted in the report, “We take this very seriously as it bypasses all our file system visibility”.
In contrast, Microsoft was reportedly unresponsive despite multiple attempts by researchers to communicate their findings.
Open-source projects had varied responses Falco maintainers acknowledged the issue and are working on a plugin for deeper visibility, while Tetragon developers pointed out that their tool can detect io_uring operations, but only if specifically configured to do so.
The report outlines several approaches that security vendors can implement to address this vulnerability.
These include detecting anomalous usage of io_uring, implementing KRSI (Kernel Runtime Security Instrumentation), and finding alternative hook points across the Linux stack.
“KRSI offers native integration with the Linux security layer, enabling deep visibility into kernel-level events. It’s an evolving and promising technology that aligns well with the need for modern, flexible detection strategies,” the researchers noted.
With Linux as the foundation for most cloud infrastructure, this vulnerability impacts organizations across all sectors.
The researchers emphasize that security vendors must adapt their detection strategies beyond simple syscall monitoring to ensure comprehensive protection against increasingly sophisticated attack techniques.
#Cyber_Security #Cyber_Security_News #Vulnerability #Vulnerability_News #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Linux io_uring Security Blind Spot Let Attackers Stealthily Deploy Rootkits
Author: Guru BaranA critical vulnerability exists in Linux’s security framework, revealing that many runtime security tools struggle to detect threats operating via the io_uring interface.
This discovery exposes a critical gap in protection for Linux-based systems across cloud environments and data centers worldwide.
The research team at ARMO has demonstrated that popular security solutions are effectively “blind” to malicious activities performed via io_uring, an asynchronous I/O mechanism introduced in Linux 5.1 that allows applications to bypass traditional system calls.
This vulnerability affects nearly all commercial Linux runtime security tools that rely on system call monitoring for threat detection.
“We decided to create Curing and release it publicly… to raise awareness about io_uring as an overlooked mechanism that attackers can exploit,” ARMO researchers stated in their report.
Despite io_uring being available for years and previously identified as potentially problematic, security vendors have largely failed to address this gap in their monitoring capabilities.
Proof-of-Concept & Real-World Threat
To prove the significance of this vulnerability, ARMO developed “Curing,” a fully functional rootkit that operates exclusively through io_uring operations.
This proof-of-concept malware can establish command and control communications, access sensitive files, and execute malicious commands while remaining undetected by standard security solutions.
Researchers found alarming results when testing major security products against their rootkits.
Similarly, Microsoft Defender for Endpoint on Linux missed multiple attack indicators, including malware drops and suspicious network connections.
According to a senior vice president at one of the top cybersecurity companies quoted in the report, “We take this very seriously as it bypasses all our file system visibility”.
In contrast, Microsoft was reportedly unresponsive despite multiple attempts by researchers to communicate their findings.
Open-source projects had varied responses Falco maintainers acknowledged the issue and are working on a plugin for deeper visibility, while Tetragon developers pointed out that their tool can detect io_uring operations, but only if specifically configured to do so.
The report outlines several approaches that security vendors can implement to address this vulnerability.
These include detecting anomalous usage of io_uring, implementing KRSI (Kernel Runtime Security Instrumentation), and finding alternative hook points across the Linux stack.
“KRSI offers native integration with the Linux security layer, enabling deep visibility into kernel-level events. It’s an evolving and promising technology that aligns well with the need for modern, flexible detection strategies,” the researchers noted.
With Linux as the foundation for most cloud infrastructure, this vulnerability impacts organizations across all sectors.
The researchers emphasize that security vendors must adapt their detection strategies beyond simple syscall monitoring to ensure comprehensive protection against increasingly sophisticated attack techniques.
#Cyber_Security #Cyber_Security_News #Vulnerability #Vulnerability_News #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
