RedHat retorted: "Grinch (ghost genie)" is not a Linux Vulnerability

Security experts said that the way Linux handles permissions may still lead to potential misoperations. However, RedHat does not agree with this, saying that the grinch (& ldquo; ghost genie & rdquo;) Linux vulnerability published by AlertLogic on Tuesday (December 16) is not a security vulnerability at all. RedHat responded to AlertLogic's statement in a briefing on Wednesday, saying: & ldquo; (from AlertLogic) The report mistakenly categorized normal and expected actions as security issues.

Security experts said that the way Linux handles permissions may still lead to potential misoperations.

However, RedHat does not agree, saying that the grinch Linux vulnerability published by Alert Logic on Tuesday (December 16) is not a security vulnerability.

RedHat issued a briefing on Wednesday in response to Alert Logic's statement, saying: "The report mistakenly classifies normal actions as security issues ."

The security company Alert Logic claimed on Tuesday that the "ghost genie" vulnerability was more serious than the Heartbleed bug and said it was a major design defect in the Linux system when dealing with user privileges, attackers can exploit this vulnerability to obtain root privileges of the machine.

Alert Logic says attackers can use the third-party Linux software framework Policy Kit (Polkit) to exploit the "ghost Genie" vulnerability. Polkit is designed to help users install and run software packages, which are maintained by red hat. Alert Logic claims that Super User Permissions are often required to allow users to install software programs. In this way, Polkit inadvertently opens the door to malicious program running through other forms.

Red Hat does not agree with this, indicating that the system is designed in this way. In other words,"Ghost genie" is not a bug but a feature.

Jen Andre, co-creator of Threat Stack, a security monitoring company, wrote in a blog: "If you allow users to use software that uses Policykit, without a password, you can install any software on the system, which actually bypasses Linux Internal authorization and access control."

James Staten, senior security researcher at Alert Logic, wrote in an email to the IDG News Service that although this behavior was designed and intended, however, the ghost genie may still be used or modified to attack the system.

"The problem is that there is a weak link on the surface that can be used to attack the system. If a software package is installed like other operations, such as deleting a software package or adding a software source, no password is required, then there will be no possibility of malicious exploitation."

However, Andre also said in an interview that for those eager attackers, there are still some demanding restrictions on using Polkit.

Attackers must be able to access the machine physically and interact with the machine through peripheral mouse keys. If attackers can access the machine physically, they can access data and programs as easily as they restart the machine to enter the recovery mode.

Andre said that not all Linux machines install Polkit by default-in fact, it is mainly used for workstations with a desktop graphic interface and occupies a small share of the Linux machines running today.

In other words, the ghost genie does not have a wide range of attacks like Shellshock. The latter exists in Bash shell, and almost all releases are spared.

Other security experts disagree with the ghost genie vulnerability.

Johanners Ullrich at the Internet Storm Center Consulting Site of the SANS Institute wrote in a blog: "To some extent, compared with many Linux systems that are too casual to set up, this vulnerability is not much."

Ullrich also pointed out that the "ghost genie" vulnerability is not completely "benign" and "it can be easily exploited to obtain permissions beyond the expectations set by Polkit ."

Andre pointed out that administrators responsible for managing and running Polkit Desktop Linux machines should be aware of the potential risks, check that those programs are managed by Polkit, and ensure that the system is secure.

He also said that application developers and Linux publishers should also ensure correct use of the Polkit framework.

Even Taylor, another author of the original report, also seems to acknowledge that "ghost genie" is not very serious.

In an email in the open-source security email list, Bourland mentioned that attackers need to exploit other vulnerabilities, together with the "ghost genie", to initiate an attack. He wrote, "Ghost Genie" is like a skilled engineer who opens the interface, but it cannot be too high."

(Lucian Constantin also contributes to this Article .)

For more information about RedHat, see RedHat topic page http://www.linuxidc.com/topicnews.aspx? Tid = 10

Via: http://www.computerworld.com/article/2861392/security0/the-grinch-isnt-a-linux-vulnerability-red-hat-says.html

Author: Joab Jackson Translator: yupmoon Proofreader: wxy

This article was originally translated by LCTT and launched with the Linux honor in China

This article permanently updates the link address: Http://www.linuxidc.com/Linux/2014-12/110980.htm