Linux Kernel fchmodat2 Audit Class Bypass Vulnerability

A vulnerability in the Linux kernel's audit subsystem allows the new fchmodat2() system call, introduced in version 6.6, to bypass audit rules. This issue arises because fchmodat2() was not included in the audit's change attributes class, unlike its predecessor fchmodat(). As a result, actions performed with fchmodat2() do not trigger the expected audit notifications, creating a stealthy method to change file permissions without detection. This vulnerability affects Linux kernel versions 6.6 and 6.12, as well as several other versions within the 5.x and 6.x ranges.

Impact

Exploitation of this vulnerability allows for unauthorized changes to file attributes, specifically permissions, without triggering corresponding audit notifications. This lack of oversight can be exploited to manipulate file permissions stealthily, potentially leading to unauthorized access or modifications.

Reproduction

The vulnerability can be reproduced by first setting an audit rule to monitor changes in file attributes. After applying this rule, the fchmodat2() system call can be used to change the permissions of a file. Unlike the fchmodat() call, which correctly triggers the audit notification, fchmodat2() will bypass the audit system, leaving the permission change undetected.

Remediation

Users are advised to update to Linux kernel versions 7.0 or later, where this vulnerability has been fixed. For those on LTS versions, the patch is available in the latest updates.