Limit source ip access in the Firewall is my way to avoid this.
Jokes on you, I run Centos 7!
The full write-up can be found here and should be fairly readable for users of this forum.
Some quotes that I thought were interesting:
With a heap corruption as a primitive, two FILE structures malloc()ated in the heap, and 21 fixed bits in the glibc’s addresses, we believe that this signal handler race condition is exploitable on amd64 (probably not in ~6-8 hours, but hopefully in less than a week). Only time will tell.
So 64-bit systems seem to be a bit more resistant to this it seems? But I can’t be completely sure given how much I’ve read about this yet.
This vulnerability is exploitable remotely on glibc-based Linux systems, where syslog() itself calls async-signal-unsafe functions (for example, malloc() and free()): an unauthenticated remote code execution as root, because it affects sshd’s privileged code, which is not sandboxed and runs with full privileges. We have not investigated any other libc or operating system; but OpenBSD is notably not vulnerable, because its SIGALRM handler calls syslog_r(), an async-signal-safer version of syslog() that was invented by OpenBSD in 2001.
It seems that non glibc-based systems also could be vulnerable, but they have not yet tried to demonstrate it yet (or have tried and not been successful).
And OpenBSD wins again it seems.
the in depth technical details
TL;DR; sigalarm handler calls syslog which isn’t safe to call from a signal handler context.
Their example exploit needed about 10k attempts to get a remote shell so it’s not fast or quiet, but a neat find regardless
Maybe it is time to move to something new
Also why does sshd run as root. I deal like ssh could use some least privilege
Preliminary note: OpenSSH is one of the most secure software in the world; this vulnerability is one slip-up in an otherwise near-flawless implementation. Its defense-in-depth design and code are a model and an inspiration, and we thank OpenSSH’s developers for their exemplary work.
When you log in to an ssh terminal for a shell, it has to launch the shell process as the desired user. Needs to be root to do that.
SSH has been around a long time. It’s not perfect, but it’s mostly validated. Anything new won’t have that history.
Can’t it use built in OS mechanisms for that? Surely you could figure out a way to only give it permissions it needs. Maybe break it up into two separate processes.