An Israeli cybersecurity company, Armo, has demonstrated a critical vulnerability in several prominent Linux runtime security tools with a new proof-of-concept (PoC) rootkit named ‘Curing’. This rootkit successfully bypassed leading security solutions, exposing the limitations of their detection capabilities.
Curing utilizes the io_uring Linux kernel interface to avoid detection by security tools such as Falco, Tetragon, and Microsoft Defender. Falco, developed by Sysdig and now a Cloud Native Computing Foundation project, was completely blind to Curing. Microsoft Defender failed to recognize both Curing and various other common malware types. Tetragon managed some detection but only when specific monitoring hooks were implemented, which are not used by default.
Armo’s findings indicate that an over-reliance on Extended Berkeley Packet Filter (eBPF)-based agents, which track system calls, leaves systems vulnerable. These security tools fail to account for io_uring, which allows actions to be taken without engaging system calls, effectively rendering them invisible to the monitoring agents that depend on this method.
Since its introduction in Linux 5.1 in 2019, io_uring was designed to facilitate more efficient asynchronous input/output operations. However, Armo highlighted the risks associated with this feature, given a consistent stream of CVEs (Common Vulnerabilities and Exposures) linked to the io_uring interface. The company’s goal in creating the rootkit was to garner attention around the insufficient response from Linux security vendors regarding io_uring’s potential risks.
Upon reaching out to the security vendors for comment, Falco’s maintainers acknowledged the issue and indicated development on a more effective plugin. In contrast, Microsoft did not respond to Armo’s attempts at communication, raising concerns about vendor accountability. Isovalent, the company behind Tetragon, asserted that their solution is not reliant on system call monitoring, thus allowing broader detection capabilities without a sole focus on system calls.
Considerations for enhancing Linux security include monitoring for unusual application behavior involving io_uring, especially if applications that have historically not utilized this feature begin to do so unexpectedly. This approach can provide critical threat detection as new vulnerabilities emerge within the Linux kernel.
The implications of this issue underscore the urgent need for Linux security tools to adapt swiftly to architectural advancements and potential vulnerabilities, rather than relying on post-hoc solutions to address newly identified threats.
For more details, visit: Armo Blog
