Doubts Raised About “Grinch” Linux Vulnerability
Security researchers have announced a new “vulnerability” in Linux dubbed “Grinch“, which allows for escalation-of-privilege attacks in versions of Linux that use the polkit toolkit for privilege authorization. However, the true threat of this vulnerability is much more limited.
The bug was named after the holiday season and the Dr. Seuss character, as some would say that this would have the potential to ruin the season of network administrators. An independent researcher first posted about this vulnerability – which he called PackageKit Privilege Escalation – almost a month ago.
Whether or not this flaw is actually a real vulnerability is debatable. SANS, in a blog post discussing this flaw, described it as more a “common overly permissive configuration of many Linux systems.” Red Hat even goes further and describes it as “expected behavior“.
The scope of this vulnerability is very limited. Grinch is not remotely exploitable; it requires that an attacker have physical access the server they want to attack. In addition, the attacker must already have access to an account in the wheels group (i.e., already have elevated privileges as local administrators), polkit must be installed, and the PackageKit package management system must be in use. The barriers to exploitation are significant; in a very real way to exploit this flaw you must already have very high levels of access, making exploiting this “vulnerability” unnecessary.
While attacks that exploit Grinch directly are unlikely, it does serve as a useful reminder to double-check membership in administrator groups to ensure that only necessary users have this access, as well as cleaning up unsecured polkit configurations.