Connect with us

Hi, what are you looking for?



Linux Systems Affected by “Grinch” Vulnerability: Researchers

Researchers at cloud security company Alert Logic have discovered a vulnerability in the Linux platform that can lead to privilege escalation. The flaw has been dubbed “Grinch.”

Researchers at cloud security company Alert Logic have discovered a vulnerability in the Linux platform that can lead to privilege escalation. The flaw has been dubbed “Grinch.”

According to Alert Logic, Grinch could affect all Linux systems, including Web servers and mobile devices. The security hole is actually a common configuration issue related to Polkit, a relatively new component used for controlling system-wide privileges on Unix-like operating systems.

Unlike Sudo, which enables system administrators to give certain users the ability to run commands as root or another user, Polkit allows a finer level of control by delimiting distinct actions and users, and defining how the users can perform those actions.

Privilege escalation can be achieved through “wheel,” a special user group with administrative privileges. On Linux systems, the default user is automatically assigned to this group, Stephen Coty, chief security evangelist at Alert Logic wrote in a blog post.

“The problem pointed out by Alert Logic is two fold. First of all, the default Polkit configuration on many Unix systems (e.g. Ubuntu), does not require authentication. Secondly, the Polkit configuration essentially just maps the ‘wheels’ group, which is commonly used for Sudo users, to the Polkit ‘Admin’. This gives users in the ‘wheel’ group access to administrative functions, like installing packages, without having to enter a password,” explained Johannes Ullrich of the SANS Internet Storm Center.

“The main risk is privilege escalation. With Sudo, an attacker would have to enter the user’s password after compromising a lesser user account in the wheel group. With Polkit, all it takes is to install a package using the Polkit tool ‘pkcon’, which takes advantage of the loose Polkit configuration to install packages,” Ullrich added.

Alert Logic has pointed out that the flaw mostly affects home users, but the company believes an attack could also work in a corporate environment where many users are assigned to the “wheel” group for one reason or another.

Advertisement. Scroll to continue reading.

Proper management of Polkit authorization rules and group privileges is the easiest way to defend against such attacks until a patch is released, Coty said.

While system administrators should check if their networks are vulnerable to “Grinch” attacks, Ullrich believes the flaw is not as severe as the recently disclosed GNU Bash vulnerability dubbed “ShellShock.”

“Of course, Shellshock and this Polkit issue make a great 1-2 punch to get root on a Unix system. But I doubt a system still vulnerable to Shellshock has no other privilege escalation vulnerability. So I don’t think it this is such a huge issue. Fix Shellshock first if that is the case,” the expert noted.

An actual patch might never be released for Grinch since Red Hat doesn’t consider this to be a security issue or even a bug, arguing that what Alert Logic described is expected behavior.

“The PackageKit console client (pkcon) is a utility which allows users in the wheel group, also known as local administrators, to install packages. This utility allows local administrators to install packages without a password if they are a ‘local user’, meaning they are using the physical keyboard attached to the computer. If you are a user who does not have a physical console (such as a remote users connected via SSH), you must supply authentication credentials to install packages,” Red Hat explained.

Earlier this week, the developers of several Unix-like operating systems started releasing patches to address a couple of vulnerabilities affecting the mailx utility. Linux distributions such as Red Hat Enterprise Linux, CentOS, Debian and Ubuntu are affected.

*Updated with statement from Red Hat

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.