CVE-2020-35501 in Linux
Summary
by MITRE • 03/30/2022
A flaw was found in the Linux kernels implementation of audit rules, where a syscall can unexpectedly not be correctly not be logged by the audit subsystem
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/01/2022
The vulnerability identified as CVE-2020-35501 represents a critical flaw in the Linux kernel's audit subsystem implementation that affects the proper logging of system calls. This issue manifests when certain system calls fail to be correctly recorded by the audit framework despite being subject to active audit rules, creating potential blind spots in security monitoring and compliance enforcement. The flaw specifically impacts how the kernel processes and evaluates audit rules for system call monitoring, leading to inconsistent logging behavior that can compromise the integrity of security audit trails.
The technical implementation of this vulnerability stems from improper handling within the kernel's audit rule evaluation logic where specific system call patterns or conditions cause the audit subsystem to bypass logging mechanisms that should be active according to configured rules. This occurs at the kernel level during the processing of system call events, where the audit subsystem fails to properly match incoming system call requests against established audit rules, resulting in missed audit records for potentially sensitive operations. The flaw demonstrates a weakness in the kernel's rule matching and event processing components, particularly when dealing with complex audit rule configurations that involve multiple conditions or specific system call parameters.
Operationally, this vulnerability creates significant security implications for systems relying on comprehensive audit logging for compliance, incident response, and security monitoring purposes. Organizations implementing security controls based on audit trail completeness may experience false negatives where malicious activities or policy violations occur without proper logging, potentially masking security incidents and hindering forensic investigations. The impact extends beyond simple logging failures as it can affect compliance with regulatory requirements such as pci dss, hipaa, and soc 2 standards that mandate comprehensive system call monitoring. Systems with active audit rules may appear to be properly configured while simultaneously failing to log critical system calls, creating a false sense of security that can delay detection of security incidents and compromise audit readiness.
The vulnerability aligns with CWE-252, which describes an issue where an application fails to check for errors or fails to properly handle error conditions, and relates to ATT&CK technique T1070.002 for Indicator Removal on Host. The flaw specifically affects the audit subsystem's ability to maintain complete audit trails, potentially allowing attackers to evade detection by exploiting the logging gaps. Organizations should implement immediate mitigations including kernel updates to versions containing the patched audit subsystem implementation, thorough review of existing audit rules to identify potential gaps, and enhanced monitoring of audit subsystem behavior. Additionally, system administrators should consider implementing redundant logging mechanisms and regular audit trail validation procedures to detect and compensate for potential logging failures, while also ensuring that audit rule configurations are regularly tested to verify proper system call monitoring across all relevant operations.