Alert Logic discovered the bug, which is susceptible to exploitation due to the default installation process used by Linux.
Alert Logic discovered the bug, which is susceptible to exploitation due to the default installation process used by Linux.

A security firm has disclosed details on a grievous bug, called “grinch,” which impacts all Linux platforms potentially allowing an attacker administrative access to systems where they can go on to remotely install malicious applications, steal data, or perform other malicious acts of their choosing.

Disclosed by Alert Logic the week before Christmas, grinch has apparently earned its name, as approximately 65 percent of all web servers on the internet use a Unix/Linux based operating system, making them vulnerable to attack, the firm said in a Tuesday blog post citing a 2013 W3Tech report.

Additionally, servers are vulnerable to exploitation, along with corporate and personal computers running Linux, and Android devices (which leverage an mobile operating system based on the Linux kernel), Alert Logic revealed in email correspondence with SCMagazine.com. Cloud storage services, like Amazon Web Services (AWS), also run on Linux, the firm added.

In its blog post, Alert Logic said that “in the thick of the holiday season, we are analyzing which operating systems support the needs of e-commerce and brick and mortar retail shops.” In doing so, researchers “found that Linux is dominating when it comes to e-commerce deployment.”

Back in August, Alert Logic senior security researcher Tyler Borland stumbled upon the serious flaw while the research team analyzed the Linux platform. Grinch technically resides in the new Linux authorization system that allows privilege escalation through Wheel, the firm revealed in its blog.

“Wheel is a special user group that controls access to the su command, which allows a user to masquerade as another user,” the post said. “When a Linux system is built, the default user is assigned to the wheel group that allows for administrative task execution within the system. For example, if the file is owned by user XYZ and group wheel, it will run as XYZ:wheel, no matter who executes the file.”

In an interview with SCMagazine.com, Stephen Coty, director of threat research at Alert Logic, said that, simply put, “anything that is set up by the Linux default settings would be affected” by grinch.

“This vulnerability could allow the attacker to install any type of software they want to, meaning remote access trojans (RATs), or software where they 100 percent own that box, or software where they can exfiltrate 100 percent of the information off a [targeted] server,” Coty added later. “They could install anything, so the possibilities are really endless at that point.”