CVE-2020-35501 Overview
CVE-2020-35501 is a flaw in the Linux kernel's implementation of audit rules. A syscall can unexpectedly fail to be logged by the audit subsystem under certain conditions. The vulnerability affects the Linux kernel and Red Hat Enterprise Linux 7 and 8. The issue is classified under [CWE-863] Incorrect Authorization and is tracked in Red Hat Bug Report #1908577.
The flaw requires local access with high privileges to exploit. An attacker with appropriate access can perform actions that bypass audit logging, weakening forensic visibility and detection capabilities on affected hosts.
Critical Impact
A local privileged user can execute syscalls that escape audit logging, undermining incident response and compliance monitoring on affected Linux systems.
Affected Products
- Linux Kernel
- Red Hat Enterprise Linux 7.0
- Red Hat Enterprise Linux 8.0
Discovery Timeline
- 2022-03-30 - CVE-2020-35501 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-35501
Vulnerability Analysis
The Linux kernel audit subsystem records security-relevant events such as syscalls, file access, and authentication activity. Administrators configure audit rules through auditctl to specify which syscalls trigger log entries.
CVE-2020-35501 breaks this guarantee. Under specific conditions, the kernel fails to evaluate or apply audit rules to a syscall, and the event is silently dropped from the audit trail. The EPSS score is 0.084%, indicating low expected exploitation activity.
The flaw is categorized as [CWE-863] Incorrect Authorization. It affects the integrity of audit data, which security teams rely on for compliance frameworks such as PCI DSS, HIPAA, and FedRAMP.
Root Cause
The root cause resides in how the Linux kernel's audit subsystem processes syscall context. A logic error in the audit rule matching path causes specific syscalls to bypass evaluation. The result is missing audit records for actions that should have been logged.
Detailed technical analysis is available in the Red Hat Bug Report #1908577.
Attack Vector
Exploitation requires local access to the target system with elevated privileges. The attack vector is not remote and does not require user interaction. An attacker who already has privileged shell access can perform sensitive operations knowing those actions will not appear in audit logs.
The primary impact is loss of audit integrity rather than direct code execution or data theft. This makes the flaw most useful as a post-exploitation tool to evade detection during a broader intrusion.
No public exploit code or proof-of-concept is currently available. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2020-35501
Indicators of Compromise
- Gaps in audit logs where expected syscall events are missing relative to file system or process activity observed through other telemetry.
- Discrepancies between auditd records and kernel-level behavioral telemetry from endpoint detection tools.
- Privileged user sessions performing sensitive operations with sparse or absent audit coverage.
Detection Strategies
- Correlate auditd events against independent kernel telemetry sources such as eBPF-based monitoring or EDR sensors to identify missing syscall records.
- Monitor kernel version and patch state across the fleet to flag hosts running unpatched Red Hat Enterprise Linux 7 or 8 builds.
- Apply behavioral analytics to privileged user activity rather than relying solely on audit logs for sensitive system events.
Monitoring Recommendations
- Forward auditd logs to a centralized SIEM and alert on unexpected drops in event volume or missing rule matches.
- Track kernel package versions through configuration management tooling to confirm patch coverage.
- Baseline normal audit event volumes per host and alert on significant deviations that may indicate audit evasion.
How to Mitigate CVE-2020-35501
Immediate Actions Required
- Apply vendor kernel updates from Red Hat for affected Red Hat Enterprise Linux 7 and 8 systems.
- Inventory all Linux hosts and identify those running affected kernel versions.
- Restrict privileged local access to audited Linux hosts and enforce strong access controls for root and CAP_AUDIT_CONTROL capability holders.
Patch Information
Red Hat addressed this issue through kernel updates for Red Hat Enterprise Linux 7 and 8. Refer to the Red Hat Bug Report #1908577 for specific package versions and errata advisories. Apply the latest kernel updates from your distribution and reboot affected systems.
Workarounds
- No official workaround eliminates the flaw without patching. Reduce exposure by limiting local privileged access.
- Supplement auditd with independent kernel telemetry such as eBPF tracing to maintain visibility on unpatched systems.
- Increase monitoring of administrative accounts and review sudo activity through external logging channels.
# Check current kernel version and audit subsystem status
uname -r
auditctl -s
# Update kernel on Red Hat Enterprise Linux
sudo yum update kernel
sudo reboot
# Verify audit rules are loaded after reboot
auditctl -l
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
