Clandestine rootkit compromise possible with Linux io_uring interface issue

Rootkit compromise on Linux systems could remain undetected through the exploitation of a security issue impacting the Linux kernel interface io_uring, according to BleepingComputer.

Such a security vulnerability stems from most security tools' inability to recognize activity associated with io_uring, which leverages ring buffers for I/O requests that are asynchronously processed, reported ARMO security researchers. Researchers said that the Curing proof-of-concept rootkit, which they developed to exploit io_uring to retrieve commands and facilitate arbitrary code execution without syscall hooks, was not identified by runtime security tools Falco and Tetragon, as well as other commercial tools. "We reported this to the Tetragon team and their response was that from their perspective Tetragon is not "vulnerable" as they provide the flexibility to hook basically anywhere. They pointed out a good blog post they wrote about the subject," said ARMO researchers, which recommended Kernel Runtime Security Instrumentation implementation to address the flaw.