Linux Systems Affected by “Grinch” Vulnerability: Researchers

Researchers at cloud security company Alert Logic have discovered a vulnerability in the Linux platform that can lead to privilege escalation. The flaw has been dubbed “Grinch.”

According to Alert Logic, Grinch could affect all Linux systems, including Web servers and mobile devices. The security hole is actually a common configuration issue related to Polkit, a relatively new component used for controlling system-wide privileges on Unix-like operating systems.

Unlike Sudo, which enables system administrators to give certain users the ability to run commands as root or another user, Polkit allows a finer level of control by delimiting distinct actions and users, and defining how the users can perform those actions.

Privilege escalation can be achieved through “wheel,” a special user group with administrative privileges. On Linux systems, the default user is automatically assigned to this group, Stephen Coty, chief security evangelist at Alert Logic wrote in a blog post.

“The problem pointed out by Alert Logic is two fold. First of all, the default Polkit configuration on many Unix systems (e.g. Ubuntu), does not require authentication. Secondly, the Polkit configuration essentially just maps the ‘wheels’ group, which is commonly used for Sudo users, to the Polkit ‘Admin’. This gives users in the ‘wheel’ group access to administrative functions, like installing packages, without having to enter a password,” explained Johannes Ullrich of the SANS Internet Storm Center.

“The main risk is privilege escalation. With Sudo, an attacker would have to enter the user’s password after compromising a lesser user account in the wheel group. With Polkit, all it takes is to install a package using the Polkit tool ‘pkcon’, which takes advantage of the loose Polkit configuration to install packages,” Ullrich added.

Alert Logic has pointed out that the flaw mostly affects home users, but the company believes an attack could also work in a corporate environment where many users are assigned to the “wheel” group for one reason or another.

Proper management of Polkit authorization rules and group privileges is the easiest way to defend against such attacks until a patch is released, Coty said.

While system administrators should check if their networks are vulnerable to “Grinch” attacks, Ullrich believes the flaw is not as severe as the recently disclosed GNU Bash vulnerability dubbed “ShellShock.”

“Of course, Shellshock and this Polkit issue make a great 1-2 punch to get root on a Unix system. But I doubt a system still vulnerable to Shellshock has no other privilege escalation vulnerability. So I don’t think it this is such a huge issue. Fix Shellshock first if that is the case,” the expert noted.

An actual patch might never be released for Grinch since Red Hat doesn’t consider this to be a security issue or even a bug, arguing that what Alert Logic described is expected behavior.

“The PackageKit console client (pkcon) is a utility which allows users in the wheel group, also known as local administrators, to install packages. This utility allows local administrators to install packages without a password if they are a ‘local user’, meaning they are using the physical keyboard attached to the computer. If you are a user who does not have a physical console (such as a remote users connected via SSH), you must supply authentication credentials to install packages,” Red Hat explained.

Earlier this week, the developers of several Unix-like operating systems started releasing patches to address a couple of vulnerabilities affecting the mailx utility. Linux distributions such as Red Hat Enterprise Linux, CentOS, Debian and Ubuntu are affected.

*Updated with statement from Red Hat