Juniper ScreenOS Vulnerabilities Advisory for CVE-2015-7755 and CVE-2015-7756

Overview

Juniper issued a critical security bulletin on Friday December 18, 2015, stating that two distinct critical vulnerabilities were discovered during an ‘internal code review’. These vulnerabilities affect devices running ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20, the Operating System that runs its popular NetScreen firewalls, which are widely used by organizations as a Next Generation Firewall and to provide VPN access.   The first vulnerability, CVE-2015-7755, allows an attacker to obtain unauthorized administrative remote access to the firewall. The second vulnerability, CVE-2015-7756, may allow an attacker to decrypt VPN traffic. Based on the versions impacted, these vulnerabilities have likely been in these products since late 2012.

On Sunday, December 20, 2015, Rapid7’s HD Moore released a blog post that identified an extra strcmp call in the vulnerable ScreenOS versions with an argument of <<< %s(un=’%s’) = %u, which is the backdoor password. This password allows an attacker to bypass authentication through SSH and Telnet, provided that they have a valid username.  According to Moore, if you want to test this issue on your Juniper devices, Telnet or SSH to a NetScreen device, specify a valid username and the backdoor password. If the device is vulnerable, you will receive an interactive shell with the highest privileges.

Impact

Because these vulnerabilities have the potential to provide administrative access to tens of thousands of devices that sit on the perimeter of organizations’ networks, as well as provide attackers with the ability to read encrypted traffic, their impact should be considered Critical and vulnerable systems should be patched immediately.

Identification

Unfortunately, identifying whether or not the authentication bypass vulnerability has been exploited in your network is non-trivial, given that any attacker who accessed the backdoor would also have privileges to delete the logs. However, Juniper did provide guidance on identifying a successful exploit. If your organization is leveraging a centralized logging solution or SIEM, you should be able to review the logs for potential intrusions.

GuidePoint is also advising our customers to look for consistent and persistent traffic originating from unfamiliar and atypical IP address ranges that could represent the attackers moving inside your network once they’ve gained access to the appliance. Additionally, Fox-IT has released a set of Snort rules that can detect access with the backdoor password over Telnet and detect any connection to a ScreenOS Telnet or SSH service.

https://gist.github.com/fox-srt/ca94b350f2a91bd8ed3f

Even worse, Juniper stated that there is currently no way to detect if the vulnerability that allows an attacker to decrypt VPN traffic has been exploited.

Remediation

Juniper has released updated versions of all impacted ScreenOS versions and GuidePoint is advising customer’s to upgrade any impacted devices as soon as possible. According to Juniper, “the following software releases have been updated to resolve these specific issues: ScreenOS 6.2.0r19, 6.3.0r21, and all subsequent releases. Additionally, earlier affected releases of ScreenOS 6.3.0 have been respun to resolve these issues. Fixes are included in: 6.3.0r12b, 6.3.0r13b, 6.3.0r14b, 6.3.0r15b, 6.3.0r16b, 6.3.0r17b, 6.3.0r18b, 6.3.0r19b. Finally, Juniper is recommending that customers restrict management access to only trusted management networks and hosts to limit the attack surface for the authentication bypass flaw.
GuidePoint Security is available to assist our customers with any remediation efforts. Please contact your Account Executive or click here for more details on how GuidePoint can help.

About GuidePoint Security

GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

Is it Time to Hire an MSSP for Your Security Operations Center?

Enterprise security cannot be procrastinated. No matter the size of your business or your specific industry, a security breach is not something any company wants to experience.

The 2015 Verizon Data Breach Investigations Report states, “The forecast average loss for a breach of 1,000 records is between $52,000 and $87,000.” Not only does a breach potentially expose or harm your company’s intellectual property, but such an event may also expose information about your employees and customers. It’s time to seriously consider partnering with a Managed Security Service Provider (MSSP) before it’s too late. Using an MSSP is almost always more cost-effective than establishing the same services in-house. It is faster to set up and implement and your organization will benefit from a wider pool of expertise and experience than is accessible when confined to hiring security practitioners from your own geographic backyard.

The Extra Costs of Internal SOC vs MSSP

Cost is always a driving factor, if not the sole deciding factor, when it comes to network security decisions on behalf of your organization. Whether you require tools, personnel or services, security doesn’t contribute to the bottom line; thus, it’s easy to put the issue on the back burner and delay making changes.

What if security didn’t have to be prohibitively expensive? Using an MSSP can be significantly more affordable than the costs associated with building and running a Security Operations Center (SOC) internally.

Costs associated with implementing a SOC in-house:

  • Personnel
    • Recruiting
    • Salaries
    • Benefits
    • Holidays/Leave
    • Retention
  • Furniture & Accommodations
  • Security Appliances
  • Software Licensing
  • Professional Training
    • Vendor-based
    • Security
    • Professional Certifications

By hiring an MSSP to supplement or enhance your security needs, you won’t have many of the above costs. Estimates for using an MSSP range from 20-50% less than building a SOC in-house. If your MSSP is remote or cloud-based, you won’t have the costs associated with furniture and accommodations. You’ll also have access to the personnel employed by the MSSP. This means the benefit of collective experience and expertise for a fraction of the cost of salary. Due to relationships with security vendors, MSSP employees traditionally receive more vendor-based and general security training and professional certifications than what your average budget would pay for.

Shorter Timeframe for Realizing ROI

Any significant investment of capital is going to be tethered to an expectation of return on investment, and the ROI for an in-house built and managed SOC can take years to realize. Hiring and recruiting is expensive and time consuming, as is implementing new technologies.

Steps to ROI on an In-house SOC

  • Select and vet each security solution
  • Acquisition process
  • Vendor equipment processing and delivery
  • Change control board to install and configure the solutions
  • Baseline solutions
  • Test and tune the solutions to ensure optimum functionality

This process can take up to a year (or more). That’s a year your organization will wait to use new solutions or realize measurable ROI, not to mention a year during which your network is left unprotected.

Working with an MSSP for your SOC eliminates extraneous internal processes and dramatically reduces the time from purchase and implementation to true ROI. Additionally, partnering with a cloud-based SOC provider eliminates the testing and vetting of technologies, acquisition delays and the need for change control boards. A few internal configurations will enable the MSSP SOC provider to begin monitoring your environment and showing immediate ROI, with a secure infrastructure already in place and processes and procedures established.

Added Value of MSSP Experience and Expertise

Unlike a traditional in-house SOC analyst, an MSSP SOC analyst has a depth of experience from working with a wide array of customer environments, allowing a broadened technical perspective, knowledge on a greater variety of attack methods and issue resolution,. When it comes to enterprise monitoring, incident detection, reporting and incident response, a staff of security practitioners who perform at a high level consistently is key.

In working as a third-party, an MSSP analyst is not typically subject to internal politics or bias. Being impartial and objective as a security analyst is crucial to ensuring that all incidents are triaged fairly and appropriately. It also ensures that incidents aren’t ignored due to internal pressures from management or other business units. Simply put, the MSSP is hired to monitor and protect your enterprise. Working with a SOC partner eliminates workplace complexities and provides a more thorough and comprehensive service than could be implemented internally.

Ready to Take the Next MSSP Step?

On average, an attacker goes unnoticed for 205 days in an enterprise network. By the time personnel recognize a problem, 69% of the time they’re notified by an outside entity like the police, the government, or the attacker themselves. Security should never be taken lightly, and an MSSP is a cost-effective way to get the security monitoring and services you need to protect your organization today. With an immediate ROI and dependable security expertise, hiring an MSSP to augment and enhance your enterprise SOC is a smart business decision.

GuidePoint Security offers a fully managed Security-Platform-as-a-Service (SPaaS) called the Virtual Security Operations Center (vSOC). We provide the people, process and technology to run a world-class SOC from our cloud-based platform. The dynamic scalability of Amazon Web Services (AWS) along with the unparalleled power of Splunk, coupled with a threat intelligence platform, we’ve created a comprehensive solution for enterprise security. The GuidePoint solution is designed to augment your existing security team, allowing you to shift focus from operating information technologies to consuming IT.

If your organization is interested in learning more about enhancing your Enterprise Security posture, contact us to learn more about GuidePoint’s vSOC today!

About GuidePoint Security

GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

Cloud Border Visibility

Maintaining network visibility is one of the biggest concerns in moving to the cloud. Fortunately, many traditional tools and techniques still work in a cloud environment. Network visibility is a broad topic. However, in this post, we will discuss maintaining network visibility at your cloud border.

Virtual Private Clouds

Amazon Web Services (AWS) and Microsoft Azure offer the capability of segmenting your infrastructure services into a private “virtual” network. In AWS this is called a Virtual Private Cloud (VPC), while in Azure it’s called a Virtual Network (VNet). In each platform, the capabilities are virtually identical.

Private Networks (as we’ll refer to them) allow you to segment your assets into a “virtual network.” These Private Networks allow you to create subnets, access control lists (ACL), route tables, and more. The Private Network itself can also have its own private IP space (RFC 1918) and a VPN gateway. This allows for – among other things – large hybrid cloud configurations.

At the border of your Private Network, you can place a simple cloud-provided Network Address Translation (NAT) gateway instance and route your Internet traffic to and from your network. To summarize, VPCs give the network engineer the appearance of a traditional network infrastructure.

Border Visibility

The problem with this configuration is in how access is controlled and reported at the border of the Private Network. Both AWS and Azure offer quick solutions to route traffic in and out of the network. These solutions act like stateful firewalls, simply brokering access to your network based on simple ACL rules.

AWS and Azure both have the ability to log Private Network firewall events. Using VPC Flow Logs (AWS) and Azure Diagnostics, it’s possible to pull firewall logs, as well as other security and operational metrics in to an existing log collection platform. However, there are a few capabilities still missing in this configuration.

First, the Cloud Service Providers’ gateway solutions (or simple public IPs, in the case of Azure) don’t provide the ability to inspect ingress or egress traffic using modern technologies. Unfortunately, promiscuous packet capture doesn’t work within these cloud environments. Therefore, activities such as layer-7 inspection (e.g. Next-Generation Firewall), network intrusion detection/prevention (IDS/IPS), and user behavior analytics are not possible unless you’re in-line with the communications channel.

Additionally, Cloud Service Providers’ NAT gateway solutions are proprietary and don’t fit in with the usual on-premises firewall solutions. For example, if your organization uses Palo Alto firewalls and manages them with Panorama, the cloud firewall device would not be able to be managed in the same interface. This makes configuration management and control more difficult for both the security ops and compliance teams.

In short, native Cloud Service Provider gateway solutions aren’t cut out for modern enterprise deployments. However, we routinely see these virtual gateways deployed in enterprise configurations.

Closing the Gap

Fortunately, there are other options available. Vendors like Palo Alto, Fortinet, Sophos, and CheckPoint have released their own virtual Unified Threat Management (UTM) appliances. The first step in closing this gap is – of course – using one of these enterprise appliances. If possible, you should choose one that matches your on-premise firewalls to help with management continuity.

But that’s not the end of the story.

Deploying a virtual UTM appliance is easy. Unfortunately, properly configuring the Private network is a step that many skip. Each Private network subnet (in both AWS and Azure) will need to be properly routed through this new UTM. Complicating this further, subnets in both AWS and Azure are all locally routable by default. That means, without configuring overriding those default routes between subnets, your new UTM can’t segment your networks. In AWS, that’s rather easy; but in Azure, this requires some PowerShell work. The effects of not configuring your routes properly can range from not working to evading the UTM; not something we want after all this work.

In summary, the subnets within the Private Networks must still be isolated from one another with ACLs or NSGs, and route tables must specifically route traffic through the UTM. In a future post we’ll go over specifically how to properly configure a VPC in AWS and a VNet in Azure using a UTM appliance.

Summary

The native cloud infrastructure solutions do not provide the expected level of visibility needed for enterprise analysis. Furthermore, achieving that level of visibility is not as straightforward as we would like it to be. It’s important that security and network engineers take their time to architect the infrastructure, create (and analyze!) threat models, and to thoroughly test the cloud infrastructure.

About GuidePoint Security

GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

Tips on Cloud Security: New Blog Series

Cloud service providers like Amazon Web Services and Rackspace are expanding so rapidly that it can be difficult to keep up with the pace of change and how IT security is impacted as a whole. The power of automating development, test and production at-scale has changed the way software is developed, as clearly demonstrated within the DevOps community. The ability to use low-cost, on-demand compute resources to scale and grow business operations is compelling, to say the least, with organizations moving their IT environments to the cloud increasingly.

With the accelerated rate at which technology is evolving, there are more opportunities for security breaches—but here’s a refreshing development: security is finally becoming cool in the IT world! However, it’s often still an afterthought in the planning process of implementing a new technology, and taking an ad-hoc approach to security is typically a complex, frustrating and almost always expensive undertaking. As a result, the engineering team at GuidePoint has been diligent in looking for ways to help customers assess the technical challenges they may not realize they’re facing.

In response to the great cloud migration and the ever-changing tides of potential threats to security, we’ll be publishing a series of cloud security blogs over the coming months to help organizations understand how to better secure and operate their cloud environments. Topics will range from new cloud service reviews and architectural advice to hands-on technology integration how-tos.

We hope you’ll find this information helpful and join us in the conversation.

About GuidePoint Security

GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.