Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX] Workaround for OpenSSH client information leak and buffer overflow in roaming support

0

0

Article ID: KB31083 KB Last Updated: 23 Aug 2016Version: 1.0
Summary:

According to JSA10734:

“Since version 5.4 (released on March 8, 2010), the OpenSSH client supports an undocumented feature called Roaming. If the connection to an SSH server breaks unexpectedly, and if the server supports roaming as well, the client is able to reconnect to the server and resume the suspended SSH session.

Although roaming is not supported by the OpenSSH server, it is enabled by default in the OpenSSH client, and contains two vulnerabilities that can be exploited by a malicious SSH server (or a trusted but compromised server): an information leak (memory disclosure), and a buffer overflow (heap-based).”


This article discusses workarounds for MX and EX platforms apart from the fix in PR1154016.

Symptoms:

The information leak is exploitable in the default configuration of the OpenSSH client, and (depending on the client's version, compiler, and operating system) allows a malicious SSH server to steal the client's private keys. This information leak may have already been exploited in the wild by sophisticated attackers, and high-profile sites or users may need to regenerate their SSH keys accordingly.

All OpenSSH versions between 5.4 and 7.1 are vulnerable, but can be easily hot-fixed by setting the undocumented option ‘UseRoaming’ to ‘no’, as detailed in the Mitigating Factors section. OpenSSH version 7.1p2 (released on January 14, 2016) disables roaming by default.

Cause:

Solution:

Workaround for MX platform

OpenSSH roaming can be disabled manually as follows:
  1. Disable the use of Roaming in ssh_config.
    Note: ssh_config contents are overwritten on boot. Instead, we should make use of .sys file.

    sh -c "echo -e 'Host *\nUseRoaming no' >> /etc/ssh_config.sys"

  2. Perform commit full:

    user@junos> configure

    Entering configuration mode

    [edit]
    user@junos# commit full
    commit complete

    user@junos> quit

  3. Ensure the changes to ssh_config.sys are propagated to /var/etc/ssh_config:

    root@junos% cat /var/etc/ssh_config
    Host *
    UseRoaming no


    Note: It is good security practice to connect only to known, trusted, SSH servers from critical infrastructure networking equipment. Use outgoing access lists or egress firewall filters to limit access from sensitive network devices to only trusted administrative networks or hosts.

Workaround for EX platform

root@jtac-ex4200-r2007:RE:0% mount -w / <--Make the root file system read-write
root@jtac-ex4200-r2007:RE:0% sh -c "echo -e 'Host *\nUseRoaming no' >> /etc/ssh_config.sys? <--Config 
root@jtac-ex4200-r2007:RE:0# commit full
root@jtac-ex4200-r2007# run start shell
root@jtac-ex4200-r2007:RE:0% cat /var/etc/ssh_config <--Config saved
Host *
UseRoaming no
root@jtac-ex4200-r2007:RE:0% mount -r /
root@jtac-ex4200-r2007:RE:0%
->root@jtac-ex4200-r2007:RE:0% mount -w / <--Make the root file system read-write
root@jtac-ex4200-r2007:RE:0% sh -c "echo -e 'Host *\nUseRoaming no' >> /etc/ssh_config.sys? <--Config the system file
root@jtac-ex4200-r2007:RE:0# commit full
root@jtac-ex4200-r2007# run start shell
root@jtac-ex4200-r2007:RE:0% cat /var/etc/ssh_config <--Config saved
Host *
UseRoaming no
root@jtac-ex4200-r2007:RE:0% mount -r /
root@jtac-ex4200-r2007:RE:0%

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search