Overview

Juniper issued a critical security bulletin on Friday December 18, 2015, stating that two distinct critical vulnerabilities were discovered during an ‘internal code review’. These vulnerabilities affect devices running ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20, the Operating System that runs its popular NetScreen firewalls, which are widely used by organizations as a Next Generation Firewall and to provide VPN access.   The first vulnerability, CVE-2015-7755, allows an attacker to obtain unauthorized administrative remote access to the firewall. The second vulnerability, CVE-2015-7756, may allow an attacker to decrypt VPN traffic. Based on the versions impacted, these vulnerabilities have likely been in these products since late 2012.

On Sunday, December 20, 2015, Rapid7’s HD Moore released a blog post that identified an extra strcmp call in the vulnerable ScreenOS versions with an argument of <<< %s(un=’%s’) = %u, which is the backdoor password. This password allows an attacker to bypass authentication through SSH and Telnet, provided that they have a valid username.  According to Moore, if you want to test this issue on your Juniper devices, Telnet or SSH to a NetScreen device, specify a valid username and the backdoor password. If the device is vulnerable, you will receive an interactive shell with the highest privileges.

Impact

Because these vulnerabilities have the potential to provide administrative access to tens of thousands of devices that sit on the perimeter of organizations’ networks, as well as provide attackers with the ability to read encrypted traffic, their impact should be considered Critical and vulnerable systems should be patched immediately.

Identification

Unfortunately, identifying whether or not the authentication bypass vulnerability has been exploited in your network is non-trivial, given that any attacker who accessed the backdoor would also have privileges to delete the logs. However, Juniper did provide guidance on identifying a successful exploit. If your organization is leveraging a centralized logging solution or SIEM, you should be able to review the logs for potential intrusions.

GuidePoint is also advising our customers to look for consistent and persistent traffic originating from unfamiliar and atypical IP address ranges that could represent the attackers moving inside your network once they’ve gained access to the appliance. Additionally, Fox-IT has released a set of Snort rules that can detect access with the backdoor password over Telnet and detect any connection to a ScreenOS Telnet or SSH service.

https://gist.github.com/fox-srt/ca94b350f2a91bd8ed3f

Even worse, Juniper stated that there is currently no way to detect if the vulnerability that allows an attacker to decrypt VPN traffic has been exploited.

Remediation

Juniper has released updated versions of all impacted ScreenOS versions and GuidePoint is advising customer’s to upgrade any impacted devices as soon as possible. According to Juniper, “the following software releases have been updated to resolve these specific issues: ScreenOS 6.2.0r19, 6.3.0r21, and all subsequent releases. Additionally, earlier affected releases of ScreenOS 6.3.0 have been respun to resolve these issues. Fixes are included in: 6.3.0r12b, 6.3.0r13b, 6.3.0r14b, 6.3.0r15b, 6.3.0r16b, 6.3.0r17b, 6.3.0r18b, 6.3.0r19b. Finally, Juniper is recommending that customers restrict management access to only trusted management networks and hosts to limit the attack surface for the authentication bypass flaw.
GuidePoint Security is available to assist our customers with any remediation efforts. Please contact your Account Executive or click here for more details on how GuidePoint can help.

About GuidePoint Security

GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.