[tomek@vz]

Heads up...

Citiraj:

“This evasion technique has been available since io_uring was added to the Linux kernel, but until now, no one had developed a fully functional rootkit that demonstrated its true potential,” said Ben Hirschberg, CTO and co-founder at ARMO.
“Leading cybersecurity vendors are still treating Linux as a second-class citizen. This is a huge gap, especially with the widespread cloud-native adoption, which is mostly Linux based. This is a wake-up call for the entire cybersecurity industry that cloud-native security is a discipline in its own right.”

> Techzine

Citiraj:

You are probably going to see a lot of news about the new Curing vulnerability which can take advantage of the io_uring system call interface which is enabled in many Linux kernels. At a glance it seems terrifying, a way to infect a machine that is essentially invisible to current antivirus software is not a good thing, but in order to make use of it you already have to have root privileges. If an attacker already has root, then the game is finished. Then again, a way to leverage this Curing rootkit without having root privileges then you can rightfully panic.
What is interesting about Curing is what it reveals about how security software functions, and that they all definitely have a blind spot. Current protections monitor system calls, which are certainly things which need to be closely watched, but Curing reveals that they need to do more. The article is light on details, likely on purpose to ensure bad actors can’t immediately leverage this possible vulnerability, but apparently Curing can be used to make network connections or tamper with files without your antivirus programs detecting it.

> PcPer