ScreenOS vulnerability affects Juniper firewalls

Published: 2015-12-18
Last Updated: 2015-12-18 16:21:38 UTC
by Brad Duncan (Version: 1)
4 comment(s)

Earlier today, we were notified of a vulnerability in an operating system named ScreenOS used to manage firewalls sold by Juniper Networks.  Yesterday, Juniper Networks announced that ScreenOS contains unauthorized code that surreptitiously decrypts traffic sent through virtual private network (VPN) connections [1].

The vulnerability has been designated as CVE-2015-7755.  Juniper's Security Incident Response Team (SIRT) strongly recommends users upgrade to a fixed release of ScreenOS to resolve these critical vulnerabilities [2].

Juniper firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are affected and should be patched immediately.

A notification has come out through the US CERT [3].  Some other sources have also issued reports about it [4, 5].

See the CVE link above or references below for more information.

References:

[1] http://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554
[2] http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713
[3] https://www.us-cert.gov/ncas/current-activity/2015/12/17/Juniper-Releases-Out-band-Security-Advisory-ScreenOS
[4] http://arstechnica.com/security/2015/12/unauthorized-code-in-juniper-firewalls-decrypts-encrypted-vpn-traffic/
[5] https://threatpost.com/juniper-finds-backdoor-that-decrypts-vpn-traffic/115663/

Keywords:
4 comment(s)

Comments

"unauthorized code", yikes, does that mean someone got into their repository or something like that? Sure sounds like it.
[quote=comment#35927]"unauthorized code", yikes, does that mean someone got into their repository or something like that? Sure sounds like it.[/quote]

Good question! According to the reports, Juniper has not commented on the origin of the code it found. It's not clear how the code got there or how long it has been there.
The are 2 vulnerabilities:
- The first issue allows unauthorized remote administrative access to the device over SSH or telnet. Exploitation of this vulnerability can lead to complete compromise of the affected system.
- The second issue may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic. It is independent of the first issue.

Mitigation for the first issue is "Restricting management access (e.g. SSH) to only trusted management networks and hosts will help mitigate this issue." so there is no knock-knock access as some suggested on the internet. A proper configuration would have prevented this.

@Brad
It was introduced in 2012.
The vulnerable code is in "All NetScreen devices using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are affected by these issues and require patching."
and according to https://www.juniper.net/support/products/screenos/ns5gt/6.2/
6.2.0r15 was released on 12 Sep 2012
[quote=comment#35931]
@Brad
It was introduced in 2012.
The vulnerable code is in "All NetScreen devices using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are affected by these issues and require patching."
and according to https://www.juniper.net/support/products/screenos/ns5gt/6.2/
6.2.0r15 was released on 12 Sep 2012[/quote]

Thanks! Guess I should've worked my way back. You're correct, the information is there, despite what some of the reports have stated.

Diary Archives