On December 18, 2015, Juniper Networks released details of two critical vulnerabilities in their ScreenOS software.
The first, which effects ScreenOS 6.3.0r17 through 6.3.0r20, can allow remote administrative access to the Netscreen device by bypassing the authentication system on SSH or TELNET (CVE-2015-7755). An attacker would need a valid username and the widely published backdoor password to login with “system” privileges.
The second vulnerability, which effects ScreenOS versions 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through to 6.3.0r20 can allow someone with access to VPN traffic to potentially decrypt the data passing through (CVE-2015-7756).
Could my organisation be vulnerable?
Yes, if your organisation uses Netscreen Firewalls with a vulnerable version of ScreenOS.
- Administrative access (6.3.0r17 through 6.3.0r20)
- VPN decryption (6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20)
How can we detect the issue?
Check the version number of ScreenOS products. If the version is vulnerable to the Administrative access vulnerability, it is also possible to attempt to log in to the device with any valid username and the following password:
<<< %s(un=’%s’) = %u
What can we do to protect our organisation’s users?
Update ScreenOS software as soon as possible. All current versions on the juniper.net web site are now patched, including the versions marked as vulnerable.
https://www.juniper.net/support/downloads/screenos.html
In addition, and as per best practice ensure that you are not allowing management access to services (SSH/HTTPS/Telnet etc) from the public internet. Such services should only be made accessible from ‘trusted’ networks (such as a dedicated management network). This will help prevent unauthorised access and a temporary workaround until you can patch.
Get in touch
Should you have any questions regarding this or any security related matter please do not hesitate to get in touch by opening a support ticket or emailing SureCloud Support.
References
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&cat=SIRT_1&actp=LIST
https://www.theregister.co.uk/2015/12/20/juniper_details_two_attacks_from_unauthorised_code/
Whilst every effort is made to ensure the accuracy and robustness of any information presented, it is not possible for SureCloud to test every possible scenario an organization may face, and SureCloud cannot be held liable for any loss or damage which may arise from taking action on any of the contents provided. SureCloud strongly advises that all recommendations, solutions and detection methods detailed, are thoroughly reviewed and tested in non-production environments before being considered suitable for production release, in-line with any existing internal change control procedures.
