To support our customers with technical expertise and the latest industry knowledge, our cyber defense experts address fundamental questions and undergo mandatory training on a broad variety of products.<\/p>\n
It was in carrying out this kind of fundamental research in the Linux audit framework (Auditd) that we discovered a not insignificant vulnerability.<\/p>\n
After a thorough evaluation, we determined that file monitoring can be circumvented with sufficient authorizations. Specifically, the user must have the CAP_DAC_READ_SEARCH<\/em> capability. This is typically true of the \u201croot<\/em>\u201d administrator account. Under these conditions, the user can open files with the \u201copen_by_handle_at<\/em>\u201d syscall and read and modify them at will without generating an entry in the Auditd log. We verified that this vulnerability can be exploited on CentOS7, CentOS8<\/em>\u00a0and\u00a0Ubuntu16.04<\/em>.<\/p>\n The vulnerability was reported to the manufacturer RedHat, Inc.<\/em> in mid-November 2020.\u00a0In accordance with standard disclosure practice, we gave the manufacturer 90 days to rectify the vulnerability.\u00a0The problem has been published under the reference CVE-2020-35501<\/em><\/a>.<\/p>\n To keep our customers secure, our employees are deeply involved in the technical aspects of all processes. It is testament to the conscientiousness of our cyber defense experts that they managed to find this vulnerability.<\/p>\n