Critical security gap in Kernel-API discovered – Research Snipers

A weak point has been lurking in the Linux kernel since 2019. The kernel function IO_uring can be used to bypass all common security controls-for complete root access. Even leading security solutions are powerless.

Dangerous security gap in Linux discovered

Only the day before yesterday the BSI had published a security warning to Nvidia drivers under Linux. In addition, Microsoft found a number of security gaps in Linux boot loaders in early April. Now researchers have identified another serious vulnerability in Linux systems and published a rootkit called “Curing”, which can bypass the most modern security solutions.

The rootkit uses the IOURING interface, a performance-enhancing kernel feature that has been available since Linux 5.1 (2019) and is a dangerous gap in the security architecture. The special thing about io_uring is that it enables applications to carry out operations without using the usual system calls (syscalls). Since most security tools rely on monitoring exactly these system calls, a blind spot is created that can be used for attackers.

Why io_uring is so dangerous

The IOURING interface was originally developed to improve efficiency during insertion and output operations. Instead of traditional system calls that create a lot of overhead, IO_uring uses so-called ring buffers that are shared between applications and the kernel. This enables asynchronous processing without process blocking. Like the security researchers of Armo report, supports io_uring 61 different operating types, including file reading and writing processes, network connections, process position and change of file permits. This variety makes it a powerful tool for rootkits.

Google has already recognized the risks and deactivated IO_uring on Android devices and Chromeos by default. According to Armo, around 60 percent of the bug bounty submissions on Google were due to weaknesses in the IORING mechanism.

Tests show serious security vulnerabilities

The researchers tested their “Curing” rootkit against several well-known security tools. The result: Falco could not recognize the activities of the rootkit itself with custom rules. TEPHEPONON also showed weaknesses in the standard configuration, but enables additional monitoring points to be defined.

Commercial security solutions were also tested, including Microsoft Defender for Linux. But nothing was recognized here either. The vice president of a leading cyber security company is cited with the words: “We take it very seriously, as our entire file system visibility is avoided.”

Solution approaches for the problem

The researchers recommend several approaches for the detection of io_uring-based attacks:

• Monitoring of unusual IORING use, since most applications do not use this interface
• Use of Krsi (Kernel Runtime Security Instrumentation), which enables deeper insights into kernel events
• Identification of alternative monitoring points in the Linux stack

The “Curing” rootkit was free for everyone who wants to test their environments Github for download published.

Meaning for cyber security

This discovery has far-reaching effects because Linux forms the basis for a large part of the cloud infrastructure. The weak point particularly affects EBPF, a widespread surveillance and security technology, which is very popular with cloud security providers.