A worrying stealthy Linux security bug could put your systems at risk – here’s what we know

LovabledanielsApril 25, 202552 Views

A security oversight in Linux allows rootkits to bypass enterprise security solutions and run stealthily
It was found in the io_uring Kernel interface
Researchers built a PoC, now available on GitHub

Cybersecurity researchers from ARMO recently discovered a security oversight in Linux which allows rootkits to bypass enterprise security solutions and run stealthily on affected endpoints.

The oversight happens because the ‘io_uring’ Kernel interface is being ignored by security monitoring tools. Built as a faster, more efficient way for Linux systems to talk to storage devices, io_uring helps modern computers handle lots of information without getting bogged down. It was introduced back in 2019, with the release of Linux 5.1.

Apparently, most security tools look for shady syscalls and hooking white completely ignoring anything involving io_uring. Since the interface supports numerous operations through 61 ops types, it creates a dangerous blindspot that can be exploited for malicious purposes. Among other things, the supported operations include read/writes, creating and accepting network connections, modifying file permissions, and more.

According to BleepingComputer, the risk is so great that Google turned it off by default both in Android and ChromeOS, which use the Linux kernel.

Second increase

To demonstrate the flaw, ARMO built a proof-of-concept (PoC) rootkit called “Curing”. It can pull instructions from a remote server and run arbitrary commands without triggering syscall hooks. They then tested it against popular runtime security tools, and determined that most of them couldn’t detect it.

The researchers claim Falco was completely oblivious to Curing, while Tetragon couldn’t flag it under default configurations. However, the latter’s devs told the researchers they don’t consider the platform vulnerable since monitoring can be enabled to detect the rootkit.

“We reported this to the Tetragon team and their response was that from their perspective Tetragon is not “vulnerable” as they provide the flexibility to hook basically anywhere,” they said. “They pointed out a good blog post they wrote about the subject.”

ARMO also said they tested the tool against unnamed commercial programs and confirmed that io_uring-abusing malware was not being detected. Curing is now available for free on GitHub.

Via BleepingComputer

Weekly update

Apple TV audio not syncing properly? tvOS 18.5 should fix this strange Dolby Atmos bug

Israeli attacks on Gaza kill 70 as ceasefire talks continue | Israel-Palestine conflict News

Google teases a refresh for the Pixel’s always-on display in Android 16 – and it’s about time it caught up to Apple and Samsung

Weekly Newsletter

A worrying stealthy Linux security bug could put your systems at risk – here’s what we know

Leave a comment

Leave a Reply Cancel reply

Explore more

Israeli attacks on Gaza kill 70 as ceasefire talks continue | Israel-Palestine conflict News

Google teases a refresh for the Pixel’s always-on display in Android 16 – and it’s about time it caught up to Apple and Samsung

Upgraded technique for extracting uranium from seawater promises higher efficiency and lower costs

Loatinover Pounds Shines In DJ Clen’s “Mosamelo” Music Video

Meta faces row over plan to use European data for AI

The Samsung Galaxy S25’s coolest feature could get a big upgrade in One UI 8

NYT Connections hints and answers for Thursday, May 15 (game #704)

Vision-language models can’t handle queries with negation words, study shows

Get to Know Us

Let's keep in touch