Re: Linux Grinch attack

["Everett, Alex D" <alex.everett () UNC EDU>]

Here is a link a colleague sent to me on the topic after we discussed it (and came to the conclusion it seemed minor 
for our department):

http://seclists.org/oss-sec/2014/q4/1075

Sincerely,

Alex Everett
UNC-CH

________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Colleen Blaho 
[cblaho () SAS UPENN EDU]
Sent: Wednesday, December 17, 2014 10:32 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Linux Grinch attack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I read the disclosure announcement last night. The 65% statistic just
seems like an attention grab and scare-mongering. You need the following
at minimum to exploit this:

* access to a local user account in the wheel group (a sudo user)
* PackageKit needs to be installed
* A package in the repos that PackageKit provides must have a security
vulnerability
* That package needs to be installed as part of the exploit and exploited.

Packagekit dev Richard Hughes released this update to Polkit Fri Jul 26
2013:
        "- Local active users in the wheel group can install signed packages
w/o a password"

so it looks like this is an intentional feature. So if you secure your
wheel group users and don't have PKcon installed, this attack is
useless. My workstation (Fedora 19) doesn't have PKcon installed. I am
unimpressed :)

Then again, I wasn't very impressed in the early stages of Drupalgeddon
- -- "Arrays and SQLi? What are you going to do with that? Unimpressive."
We all know how that turned out...

On 12/17/2014 10:03 AM, Lisciotti, Kevin wrote:
> Has anyone picked up on this Grinch attack that was announced yesterday?
>
> http://www.scmagazine.com/impact-of-linux-bug-grinch-spans-servers-workstations-android-devices-and-more/article/388689/

- --
Colleen Blaho

Information Security and Unix Services
University of Pennsylvania
School of Arts and Sciences
3600 Market St.
Suite 501
Philadelphia, PA 19104

Need to verify my public key?
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6BA5B98CF9577D6B>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUkaIkAAoJEGuluYz5V31rrlUP/0ps90ExrW5+43OCx4M0+HgQ
2Sb2GaIVOIo1/rzCEzbjYOcDGH48agpF7Gum0EPfrm6YRDlAhW2Nl8X3YaG/Fxp+
nwDnuZRBWsj0DeBvmfR82o+B8/WkRQT65it0TB9jlxb6RZpduPKge10Jlg/obPr6
MUfHsTy7IrPKvWnAjiST8dj9fhXSXA5Bb7zxAg/LGUouQUNhAph7jREkJls1MexZ
A5KRLfVGAJnrJmFXS3BX+Lr6SjrMVYfwEZJLL+2KALL2cpqjGc2GWfYxZGy0SzOf
eRMRZaqrBEYxQfhVbkdLUSiAbjV4ddjNl+0NwWwAQF5B8SYnRlUr0V9ffZDCMREh
zpjWAV5xGysaHb7R5N0ZVkog5lXr3WZvqca7d8EZvqQ99LVG4M22BC48PNk8FeLY
oTz1TmgaZ0LXNjSgY8u9ckkUxZzX9D3jgPWQnQcCVz1Ic9pdIIaoaV3BanbkdAGa
GzMXLWTsuh8/sKCKK3xBXxdgzlxJyORa5KmeP7RJv5nDAnLC1ZF1XsB5SCG1O4QI
LMhF5syGMqTZvgyN6gSH+rADUFYr+pW1aNT26pjNWfEIT2ifItxqmDgkfU/Aqtx/
uT/p99dTpuLcivqxY8Au+npl7TC8WJ77f6szaqeQFy5w9r8AJqx0i/12IoyCJbpC
rh3krknlGL3d8NEDfY+0
=7iNj
-----END PGP SIGNATURE-----