Impact of Linux bug 'grinch' spans servers, workstations, Android devices and more

MrGuvernment

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
21,819
This stuff just won't stop

Impact of Linux bug 'grinch' spans servers, workstations, Android devices and more

http://www.scmagazine.com/impact-of...s-android-devices-and-more/article/388689/2/\

A security firm has disclosed details on a grievous bug, called “grinch,” which impacts all Linux platforms potentially allowing an attacker administrative access to systems where they can go on to remotely install malicious applications, steal data, or perform other malicious acts of their choosing.

Disclosed by Alert Logic the week before Christmas, grinch has apparently earned its name, as approximately 65 percent of all web servers on the internet use a Unix/Linux based operating system, making them vulnerable to attack, the firm said in a Tuesday blog post citing a 2013 W3Tech report.

Currently, there is no patch for the bug, but Alert Logic reported the issue through RedHat and Bugzilla four months ago when it discovered the vulnerability, Coty said.

To combat the security issue, enterprises can “rewrite some administrative access” and employ security logging software to detect suspicious activity, such as administrative privileges being rewritten – “a monitoring approach, not a fix,” the firm said in initial email correspondence with SCMagazine.com.
Click to expand...
 
Question, if you do not allow remote ssh access, as one should not, how can someone get into the server?, exploiting open port like 80/443?
 
The "bug" only effects you if you have physical access to the box. You have to be on via keyboard to make it happen.

If you are SSHed in you can't "exploit" this "bug".

RedHat indicates this is expected behavior, not a bug.

Also why would you not allow remote access via SSH? I have been SSH'ing into my server for over a decade without issue. You don't allow root to login via SSH, but you let a regular account to log in remotely and elevate privileges as needed. I have two accounts on my server that can sudo, and that is myself and my friend that runs the ISP where the server is hosted.
 
Last edited:
Good to know!

for me it is vpn into the networks i have set up from home where needed.

For sure don't allow root via SSH, change the port (which doesnt do alot as anyone can still find it) and go from there.
 
ianshot said:
The "bug" only effects you if you have physical access to the box. You have to be on via keyboard to make it happen.

If you are SSHed in you can't "exploit" this "bug".

RedHat indicates this is expected behavior, not a bug.

Also why would you not allow remote access via SSH? I have been SSH'ing into my server for over a decade without issue. You don't allow root to login via SSH, but you let a regular account to log in remotely and elevate privileges as needed. I have two accounts on my server that can sudo, and that is myself and my friend that runs the ISP where the server is hosted.
Click to expand...

Same here. No remote root login, and brute force protection. On the critical servers (that still need to be accessed remotely) I have no remote root login and an IP whitelist at the firewall. Been operating this way since at least 2003.
 
The attacker would have to be a user who is a member of the 'wheel' group. A user is only in the wheel group if an admin puts them there (presumably because they trust them to carry a out admin tasks).

So admins can gain admin privileges by being admins.

Giant steaming pile of FUD.
 
devman said:
The attacker would have to be a user who is a member of the 'wheel' group. A user is only in the wheel group if an admin puts them there (presumably because they trust them to carry a out admin tasks).

So admins can gain admin privileges by being admins.

Giant steaming pile of FUD.
Click to expand...

so far this is what i've read as well, somebody trying to be catchy to get some page views, there's not even a CVE on it...
 
devman said:
The attacker would have to be a user who is a member of the 'wheel' group. A user is only in the wheel group if an admin puts them there (presumably because they trust them to carry a out admin tasks).

So admins can gain admin privileges by being admins.

Giant steaming pile of FUD.
Click to expand...

Yep, it's a non-issue.

Most of my "engineers" in wheel (sudo) can barely work their way out of a paper bag, let alone employ this exploit.
 
The article is 404 but glad to read here that it's just FUD.

How is this an exploit anyway, if it requires physical access or to be in a group that lets you do admin tasks, it's already assumed that you have authorized access, no? If someone wanted to do something malicious they would not even need an exploit if they were already given access.
 
I'm still wondering what admitistrative access is in Linux :p
 
devman said:
The attacker would have to be a user who is a member of the 'wheel' group. A user is only in the wheel group if an admin puts them there (presumably because they trust them to carry a out admin tasks).

So admins can gain admin privileges by being admins.

Giant steaming pile of FUD.
Click to expand...

Or someone who already has access to a shell on the box to use one of the many flaws out there to become root in unpatched systems.
 
You must log in or register to reply here.
Back
Top