Hackers Can Now Bypass Linux Security Thanks To Terrifying New Curing Rootkit (betanews.com)
- Reference: 0177122457
- News link: https://linux.slashdot.org/story/25/04/24/142249/hackers-can-now-bypass-linux-security-thanks-to-terrifying-new-curing-rootkit
- Source link: https://betanews.com/2025/04/24/hackers-bypass-linux-security-with-armo-curing-rootkit/
> ARMO, the company behind Kubescape, has uncovered what could be one of the biggest blind spots in Linux security today. The company has released a working rootkit called "Curing" that uses io_uring, a feature built into the Linux kernel, [2]to stealthily perform malicious activities without being caught by many of the detection solutions currently on the market.
>
> At the heart of the issue is the heavy reliance on monitoring system calls, which has become the go-to method for many cybersecurity vendors. The problem? Attackers can completely sidestep these monitored calls by leaning on io_uring instead. This clever method could let bad actors quietly make network connections or tamper with files without triggering the usual alarms.
[1] https://slashdot.org/~BrianFagioli
[2] https://betanews.com/2025/04/24/hackers-bypass-linux-security-with-armo-curing-rootkit/
2022 article on io_uring security (Score:4, Informative)
From [1]Security requirements for new kernel features [lwn.net], Jonathan Corbet, July 28, 2022:
"A recent discussion about security hooks for the new uring_cmd mechanism shows how easily requirements can be overlooked in a complex system with no overall supervision."
[Corbet quoting from another source]
"You're passing the complexity of uring-cmd directly into each and every security module. SELinux, AppArmor, Smack, BPF and every other LSM now needs to know the gory details of everything that might be in any arbitrary subsystem so that it can make a wild guess about what to do. And I thought ioctl was hard to deal with."
There's more there and [2]elsewhere [wikipedia.org].
[1] https://lwn.net/Articles/902466/
[2] https://en.wikipedia.org/w/index.php?title=Io_uring&oldid=1287102929#Security
Re: (Score:2)
this should be modded up, it is a lot more useful than the TFS, if a bit old.
if it is compiled as a module (Score:2)
then blacklist it, otherwise prepare to rebuild your kernel by first run make oldconfig then find that feature and disable it save and rebuild, you will have the same kernel minus the vulnerability
O'RYL? (Score:2)
So I can bypass Linux security by hiding inside an SSL channel?
A blindspot in 3rd party monitoring software is NOT a security bypass. It is a deficiency in the monitoring software.
The world has changed. Tripwire and Clam-AV are not adequate protections, if they ever were.
Re: (Score:2)
Awww, come on, didn't you get immediately scared when you saw "terrifying" and "root kit" in the summary :)
Huh. (Score:2)
Why are they monitoring syscalls?
The correct solution is surely to use the Linux Kernel Security Module mechanism, as you can then monitor system functions, regardless of how they are accessed. All system functions, not just the ones that have provision for tracepoints.
For something like security software, you want the greatest flexibility for the least effort, and Linux allows you to do just that.
Because it's fine-grained, security companies can then pick and choose what to regard or disregard, giving them
Optional kernel feature? (Score:3)
io_uring is an optional kernel feature, which you can turn off or compile out if you're not using...
Re:Optional kernel feature? (Score:5, Informative)
Most people don't tune their kernels, much less compile them. The question is, is it turned on in the stock kernel of the distro you're using?
Of course, if it is, this being made public mean it won't be for long. If you do your updates, I'd expect you'd be fine.
Re: (Score:3)
Also.. Linux "Security" is Not 3rd party antimalware programs that monitor syscalls.
No Linux security has been defeated by the existence of the rootkit. Security was defeated when an intruder gained root.
Security is the kernel's permissions and access control models. Things like non-root processes not having access to execute privileged operations.
It sounds like the only thing that has been bypassed are EDR programs; tools such as Crowdstrike, Palo Alto Cortex, Microsoft Defender, Carbonblack, Seintnel
Re: (Score:1)
what a stupid pedantic distinction
Linux security modules do depend on it (Score:2)
SELinux, a Linux security feature, depends heavily on monitoring system calls. The whole Linux security module system is largely based around monitoring system calls. It seems they didn't consider providing a mechanism for security modules to monitor io_uring for nefarious activity.
Re: (Score:2)
If io_uring requires root then this is a nothingburger.
Raymond Chen, Microsoft developer, uses the phrase "It rather involved being on the other side of this airtight hatchway" to refer to such "exploits".
Re: (Score:2)
The linked article is very light on details. I did a little searching around and it appears that one does, in fact, need root in order to set up io_uring, though it can also be done with sudo, and it looks like it is possible to set things up so it can subsequently be used for specific operations without root (though I am unsure about that).
Apparently this isn't actually news, as the library has been under criticism for this sort of thing for a while. Some distributions, such as Ubuntu, don't use it by de
Re:Optional kernel feature? (Score:5, Informative)
It seems that in Debian testing at least it is present:
grep -i uring /boot/config-$(uname -r)
CONFIG_IO_URING=y
Re: (Score:2)
It's also enabled in Ubuntu 24.04.2 LTS' kernel 6.8.0-57-generic.
Re: (Score:2)
Yeah, so if there is indeed a rootkit going around and if it does what it is claimed, it probably makes sense to recompile without it.
I'll read up on it later to decide how "terrifying" this new scourge is, TFS is a bit unclear on what's going on.
Re: (Score:2)
The "rootkit" mentioned in TFA is just a proof of concept demonstrating that you can use io_uring to avoid being monitored by Linux security modules like SELinux or AppArmor. It isn't being used by malware in the wild.
The trouble with disabling io_uring is that you'll get a pretty substantial performance hit in applications that actually use it. The Linux AIO API was basically broken. It only worked on files, only on portions of files that are already allocated, and in many situations an operation would
Re: (Score:2)
Yeah, apparently it is so; hence one has to first check if something they need is using it, assess the risks and benefits of leaving it on (which to me isn't a straightforward thing to do right away) and then to consider what measures to take, if any, to alleviate those risks.
Someone posted a link to an informative article from 2022, but it is hard to see how much of it applies today, as it seems some things were done to mitigate the issues since then.
So I guess now that everyone and their dog is aware of
Re: (Score:2)
> As you say, this doesn't appear to be the immediate risk the word "terrifying" in the TFS is implying.
Correct, that part's just clickbait bullshit.
Re: (Score:2)
Ah, I see you've answered that second question in your above post and it appears this isn't some sort of active exploit. Oh, well...
Re: (Score:2)
It's also enabled by default in Mint 21.3.
How does one turn this off, and should it be turned off or disabled?
Re: (Score:2)
Recompile the kernel from sources with your current config (/boot/config-`uname -r`) and have just that option in the new .config set to "n" is the most straightforward way, I guess.
Re: (Score:3)
But, as others have pointed out, perhaps this would be an unnecessary overreaction at present.
Re: (Score:2)
From what I can see, Slackware has it compiled in:
cd /usr/src/linux-5.15.161/
grep CONFIG_IO_URING .config
CONFIG_IO_URING=y
Re: (Score:3)
Google and others already turn off io_uring. io_uring is not available to apps in android, it's off entirely in ChromeOS and off on Google's own servers. Docker blocks io_uring calls by containers (by default) as well.
Re: Optional kernel feature? (Score:2)
The other solution might be to turn it off when building everything but the most trusted applications. If you've got a performance critical database, go ahead and build the dbms system with it. For stuff like mystery apps you grab off the Internet, or apps that can pull in scripts and stuff, turn it off in their build.