Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: ScreenOS vulnerability affects Juniper firewalls - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ScreenOS vulnerability affects Juniper firewalls

Earlier today, we were notified of a vulnerability in an operating system named ScreenOS used to manage firewalls sold by Juniper Networks.  Yesterday, Juniper Networks announced that ScreenOS contains unauthorized code that surreptitiously decrypts traffic sent through virtual private network (VPN) connections [1].

The vulnerability has been designated as CVE-2015-7755.  Juniper's Security Incident Response Team (SIRT) strongly recommends users upgrade to a fixed release of ScreenOS to resolve these critical vulnerabilities [2].

Juniper firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are affected and should be patched immediately.

A notification has come out through the US CERT [3].  Some other sources have also issued reports about it [4, 5].

See the CVE link above or references below for more information.

References:

[1] http://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554
[2] http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713
[3] https://www.us-cert.gov/ncas/current-activity/2015/12/17/Juniper-Releases-Out-band-Security-Advisory-ScreenOS
[4] http://arstechnica.com/security/2015/12/unauthorized-code-in-juniper-firewalls-decrypts-encrypted-vpn-traffic/
[5] https://threatpost.com/juniper-finds-backdoor-that-decrypts-vpn-traffic/115663/

Brad

342 Posts
ISC Handler
"unauthorized code", yikes, does that mean someone got into their repository or something like that? Sure sounds like it.
TuggDougins

37 Posts
Quoting TuggDougins:"unauthorized code", yikes, does that mean someone got into their repository or something like that? Sure sounds like it.


Good question! According to the reports, Juniper has not commented on the origin of the code it found. It's not clear how the code got there or how long it has been there.
Brad

342 Posts
ISC Handler
The are 2 vulnerabilities:
- The first issue allows unauthorized remote administrative access to the device over SSH or telnet. Exploitation of this vulnerability can lead to complete compromise of the affected system.
- The second issue may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic. It is independent of the first issue.

Mitigation for the first issue is "Restricting management access (e.g. SSH) to only trusted management networks and hosts will help mitigate this issue." so there is no knock-knock access as some suggested on the internet. A proper configuration would have prevented this.

@Brad
It was introduced in 2012.
The vulnerable code is in "All NetScreen devices using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are affected by these issues and require patching."
and according to https://www.juniper.net/support/products/screenos/ns5gt/6.2/
6.2.0r15 was released on 12 Sep 2012
Placebo

3 Posts
Quoting Placebo:
@Brad
It was introduced in 2012.
The vulnerable code is in "All NetScreen devices using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are affected by these issues and require patching."
and according to juniper.net/support/products/screenos/ns5gt/6.2/
6.2.0r15 was released on 12 Sep 2012


Thanks! Guess I should've worked my way back. You're correct, the information is there, despite what some of the reports have stated.
Brad

342 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!