Juniper Networks Junos OS UI Discrepancy Vulnerability on VM Host Systems Allowing Unauthenticated Access

A UI discrepancy vulnerability has been identified in Juniper Networks Junos OS running on VM host systems. This vulnerability allows a network-based, unauthenticated attacker to access the device. On VM Host Routing Engines, even after the configured public key for root has been removed, remote users with the corresponding private key can still log in as root. This issue affects all Junos OS versions prior to 22.2R3-S7, 22.4 versions before 22.4R3-S5, 23.2 versions before 23.2R2-S3, 23.4 versions before 23.4R2-S3, and 24.2 versions before 24.2R1-S2 and 24.2R2.

Impact

Exploitation of this vulnerability allows unauthorized access to the device, with the ability to log in as root on affected VM Host Routing Engines.

Remediation

Public key authentication for root can be explicitly disabled by using the command 'system root-authentication no-public-keys'. Users can upgrade to Junos OS versions 22.2R3-S7, 22.4R3-S5, 23.2R2-S3, 23.4R2-S3, 24.2R1-S2, 24.2R2, 24.4R1, and all subsequent releases.