Researchers at cloud security company Alert Logic have discovered a vulnerability in the Linux platform that can lead to privilege escalation. The flaw has been dubbed “Grinch.”
According to Alert Logic, Grinch could affect all Linux systems, including Web servers and mobile devices. The security hole is actually a common configuration issue related to Polkit, a relatively new component used for controlling system-wide privileges on Unix-like operating systems.
Unlike Sudo, which enables system administrators to give certain users the ability to run commands as root or another user, Polkit allows a finer level of control by delimiting distinct actions and users, and defining how the users can perform those actions.
Privilege escalation can be achieved through “wheel,” a special user group with administrative privileges. On Linux systems, the default user is automatically assigned to this group, Stephen Coty, chief security evangelist at Alert Logic wrote in a blog post.
“The problem pointed out by Alert Logic is two fold. First of all, the default Polkit configuration on many Unix systems (e.g. Ubuntu), does not require authentication. Secondly, the Polkit configuration essentially just maps the ‘wheels’ group, which is commonly used for Sudo users, to the Polkit ‘Admin’. This gives users in the ‘wheel’ group access to administrative functions, like installing packages, without having to enter a password,” explained Johannes Ullrich of the SANS Internet Storm Center.
“The main risk is privilege escalation. With Sudo, an attacker would have to enter the user’s password after compromising a lesser user account in the wheel group. With Polkit, all it takes is to install a package using the Polkit tool ‘pkcon’, which takes advantage of the loose Polkit configuration to install packages,” Ullrich added.
Alert Logic has pointed out that the flaw mostly affects home users, but the company believes an attack could also work in a corporate environment where many users are assigned to the “wheel” group for one reason or another.
Proper management of Polkit authorization rules and group privileges is the easiest way to defend against such attacks until a patch is released, Coty said.
While system administrators should check if their networks are vulnerable to “Grinch” attacks, Ullrich believes the flaw is not as severe as the recently disclosed GNU Bash vulnerability dubbed “ShellShock.”
“Of course, Shellshock and this Polkit issue make a great 1-2 punch to get root on a Unix system. But I doubt a system still vulnerable to Shellshock has no other privilege escalation vulnerability. So I don’t think it this is such a huge issue. Fix Shellshock first if that is the case,” the expert noted.
An actual patch might never be released for Grinch since Red Hat doesn’t consider this to be a security issue or even a bug, arguing that what Alert Logic described is expected behavior.
“The PackageKit console client (pkcon) is a utility which allows users in the wheel group, also known as local administrators, to install packages. This utility allows local administrators to install packages without a password if they are a ‘local user’, meaning they are using the physical keyboard attached to the computer. If you are a user who does not have a physical console (such as a remote users connected via SSH), you must supply authentication credentials to install packages,” Red Hat explained.
Earlier this week, the developers of several Unix-like operating systems started releasing patches to address a couple of vulnerabilities affecting the mailx utility. Linux distributions such as Red Hat Enterprise Linux, CentOS, Debian and Ubuntu are affected.
*Updated with statement from Red Hat

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
- New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
- Rheinmetall Says Military Business Not Impacted by Ransomware Attack
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
