[j-nsp] SSH version 4 vulnerability on JUNOS

Harri Makela harri_makela at yahoo.com
Mon Sep 9 12:52:55 EDT 2013 

Thank you very much for an update Tim. Much appreciated.




________________________________
 From: Tim Eberhard <xmin0s at gmail.com>
To: Harri Makela <harri_makela at yahoo.com> 
Cc: "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net> 
Sent: Monday, 9 September 2013, 17:45
Subject: Re: [j-nsp] SSH version 4 vulnerability on JUNOS
 


I've checked in with Juniper CERT a couple of times after SSH vulnerabilities get made public and given the fact they run such older ssh binaries. 

The answer i've received every time is they run a modified version of OpenSSH 4.4, and disallow unsigned, third party or modified binaries to run under Junos by default.  

With that said, I wouldn't really worry about an X11 session hijacking vulnerability.. given you don't have X11 installed on your device. This seems like a generic scan report that looks for anything under OpenSSH 5.0 and just tells you to upgrade.  I think you're safe to ignore here Harri.

Hope this helps,
-Tim Eberhard



On Mon, Sep 9, 2013 at 9:16 AM, Harri Makela <harri_makela at yahoo.com> wrote:

Hi There
>
>I got following report from after the vulneraboility scanning. Now first we don`t use IPv6 and secondly how we can check on Juniper that versio is SSH 4?
>
>
>Synopsis: The remote SSH service is prone to an X11 session hijacking\nvulnerability.
>
>Description:  According to its banner, the version of SSH installed on the remote host is older than 5.0.  Such versions may allow a local user to hijack X11 sessions because it improperly binds TCP ports on the local IPv6 interface if the corresponding ports on the IPv4 interface are in use.
>
>Solution : Upgrade to OpenSSH version 5.0 or later.
>
>This is what I have searched on ex-8208 switch and came for SSH:-
>
>
>set system services ssh root-login deny
>set system services ssh protocol-version v2   -----> it says version 2
>
>
>Sorry if these are too basic questions as I am new to all this.
>
>Thanks
>HM
>_______________________________________________
>juniper-nsp mailing list juniper-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list