Juniper patches OpenSSH's 'roaming' bug in Junos OS
Screen OS not affected
The next vendor to kill off the OpenSSH roaming bug announced in January is Juniper Networks.
The bug's best bit, as we noted at the time, was that the roaming feature had been added as an experiment back in 2010 (in version 5.4), and was undocumented.
The idea of roaming is to maintain an OpenSSH session if there was a connection interruption – which happens quite often in the mobile world, when for example a client moves between cell towers / base stations.
In its analysis of the bug, Qualys found that with roaming on, the client's memory buffer held private keys, and a sophisticated attacker in control of a malicious server might be able to retrieve the key. If it was a weak key not protected by a passphrase, they would then be able to extract the key from what they retrieved.
Juniper's advisory says platforms running Junos OS are vulnerable to CVE-2016-0777 and a second (less serious) issue, CVE-2016-0778, a buffer overflow. Screen OS is not affected.
In Juniper's case, the issue arises because OpenSSH provides access from a Junos OS device to SSH servers, so it's time to update.
Various Junos OS versions later than 12.1X46-D45 are affected if OpenSSH is in use. ®