A new report has emerged of an alleged security flaw in the Linux kernel that is being named the “Grinch,” after the character from Dr. Seuss’ classic “The Grinch Who Stole Christmas” story. In this case, however, the Grinch might not be a risk at all though, ironically, on the same day the Grinch was reported, a real Linux vulnerability unrelated to the Grinch was, in fact, disclosed and patched.
The Grinch flaw was reported by Stephen Cody, chief security evangelist at Alert Logic. Cody alleges that the Grinch flaw enables users on a local machine to escalate privileges. Leading Linux vendor Red Hat, however, disagrees that the Grinch issue is even a bug and instead notes in a Red Hat knowledge base article that the Grinch report “incorrectly classifies expected behavior as a security issue.”
The original security researcher that reported the Grinch found that if a user logs into a Linux system as the local administrator, the user could run a certain command that would enable the user to install a package, explained Josh Bressers, lead of the Red Hat Product Security Team.
“Local administrators are trusted users,” Bressers told eWEEK. “This isn’t something you hand out to everybody.”
If the user is logged into a physical computer as the local administrator, there are certain actions that are expected that the local administrator should be able to do without needing to type in a password, Bressers said. One such action is the ability to install software from a trusted software repository. “The reason for that is if you are sitting at the physical computer, you could physically install software, use a hammer and screwdriver, or do other things to the machine,” Bressers said. “So it’s not considered a trust boundary.”
If the user is remotely connecting to a system with SSH (Secure Shell), for example, then when the user tries to install software, a password is required, Bressers said. “Basically, this bug report on Grinch was a bit more sensational than it needed to be,” he said.
Bressers explained that modern Linux systems have technologies to control package management and installation. There is the PackageKit framework that controls the installation and maintenance of software packages on a system, while the PolicyKit technology exists to grant permissions to applications that request privileged actions.
“This is a known configuration of PolicyKit and a conscious decision,” Bressers said. “If you are physically present at the machine, there must be certain actions that the local administrator can perform without typing in a password.”
The alleged Grinch vulnerability is documented and expected behavior for a Linux system, he said.
CVE-2014-9322
While the Grinch issue is being dismissed by Red Hat, another bug was disclosed on Dec. 17 that, in fact, is very critical. Ironically, the CVE-2014-9322 vulnerability is a kernel privilege escalation flaw though it is unrelated to Grinch. Red Hat has already patched the flaw with its RHSA-2014:2008-01 update.
“With that flaw, any local user on a Linux system can become root,” Bressers said. “There is no public exploit, but it is a bug that affect lots of systems.”
Privilege escalation vulnerabilities in Linux overall are few and far between, he said.
“The last kernel issue privilege escalation issue we fixed before this one [CVE-2014-9322] was in May of 2013,” Bressers said. “I never want to say it’s not common, but we’re doing pretty well.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.