Grinch Root Access Vulnerability Impacts All Linux Platforms

All Linux Platforms are vulnerable to the ‘Grinch’ Root Access vulnerability

Security researchers at Alert Logic have unearthed a vulnerability in Linux  platforms that could potentially affect every system even remotely using Linux including Android smartphones and tablets. This vulnerability dubbed “Grinch” could potentially allow a user to get root access of a system thereby bypassing all security mechanisms leaving the target machine utterly defenseless. This flaw can be used across Linux powered computers, servers and even android devices. Alert Logic states,

According to a 2013 report from W3Tech, approximately 65% of all web servers on the Internet utilize a Unix/Linux based operating system. We uncovered a bug that impacts all Linux platforms, including mobile devices, and we’re calling it “grinch.” Fortunately, there are ways to detect the exploit of this bug in your environment until a patch is released.

Exploitation of the logging system

Grinch Root Access Vulnerability Impacts All Linux PlatformsThis isn’t the first major vulnerability to be uncovered in Linux. The same researchers had uncovered vulnerabilities in JournalD back in August, 2014, which allowed attackers to hijack the terminal sessions for remote execute commands. Further digging led them to grinch. The vulnerability was found in a Linux authorization system which could give an unauthorized user root access to the system by leveraging “wheel,” a special user group that controls access to the su command and allows one user to operate as if they were another.  Writing on the Alert Logic blog, Chief Security Evangelist, Stephen Coty stated,

“If we were to compromise the user through a client-side vulnerability or any privilege escalation on the box itself, we would no longer need to worry about cached Sudo authorization timestamp tokens or trying to trick users into providing their credentials with bashrc, environment modifications, or other means,” the researchers explained. “Instead, we can abuse the user’s group privileges to give us access, thus granting direct authentication bypass even if the wheel user cannot get root like in Ubuntu ecosystems.”

A potential hacker could exploit the Grinch flaw by either modifying the registered user accounts in a wheel or by manipulating the Policy Kit (Polkit), a graphical User interface for managing privileged operations for ordinary users.

“Polkit can be used by privileged processes to decide if it should execute privileged operations on behalf of the requesting user. For directly executed tools, Polkit provides a setuid-root helper program called ‘’pkexec.’’ The hooks to ask the user for authorizations are well integrated into text environments and native in all major graphical environments” notes Alert Logic in a blog.”

Whichever method the attacker uses, the goal is to gain root access to the system. With root access, the attacker has full administrative control and can install, modify programs or access files in any directory. The attacker is also able to remotely control the system implying they can create a replicating worm which can be spread to other systems instantaneously.

Threat perception

With an approximate 65% of web servers running on Linux/Unix the threat of this vulnerability cannot be emphasized enough. Major companies which run their services on Linux based system will be affected include the cloud servers of Amazon and Microsoft. Not to mention the half a billion users of Android around the world who stand in risk. “We find that possession of user logs and knowledge of your own environment are the best security content to help you navigate away from a bug like grinch,” the team advised. “Know how your Linux administrator is installing packages and managing updates.”

On the bright side, the researchers also denied any news of this vulnerability ever being used so far. So no major damage has been done. It is advised to restrict user permissions on your Linux systems and also monitor user activity until a proper patch is released.

On the vulnerability level, Grinch could be to Linux what ShellShock is to Windows and even more severe as ShellShock infected those Windows machines which had cygwin.  Until and unless a patch is released all the devices running on Linux are vulnerable to Grinch.  Linux team is yet to confirm the Alert Logic’s finding or issue a patch for this vulnerability but Coty believed that Linux was working on this issue.

8 COMMENTS

  1. |On the vulnerability level, Grinch could be to Linux what ShellShock is to Windows.

    So does that mean that this is not an issue? Since Shellshock didn’t affect Windows in anyway? A bit more clarification would be nice.

  2. This is another “widespread vulnerability” that requires the equivalent of throwing dominoes on the floor and having them all land standing up, within reach of each other, so the “hacker” can tip the first one over…

    My “default” Ubuntu systems don’t even have packagekit-tools installed, and while I think the Alert Logic folks are positing that this could happen with any number of packages, they weren’t very clear on that matter. An actual published analysis would be helpful – I read their blog and it was not much more help than this Chicken Little-like article with its wildly over-reactive title.

  3. “give an unauthorized user root access to the system by leveraging “wheel,” a special user group that controls access to the su command and allows one user to operate as if they were another.”
    If a user is a member of the ‘wheel’ group, they are authorized by definition. Obviously you shouldn’t give non-trusted users wheel privileges. This is a non-issue.
    Red Hat’s response is pretty clear https://access.redhat.com/articles/1298913

  4. This is not a bug. This is how a UNIX system works and is it not a bug. This is intended.

    UNIX and LINUX systems are multi-user systems. To handle the work load the administrator rights
    can be divided among several persons. This mechanism that is said to be a bug is the way that several people are given access to the systems so they can help admin it.

    So it is not a bug. Its standard practice. The people reporting it as a bug – are misinformed about how UNIX works.

LEAVE A REPLY

Please enter your comment!
Please enter your name here