Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Critical ScreenOS Security Flaw: 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20.

    Posted 12-17-2015 16:36

    Please review this critical security update from Juniper.  If you are running these versions of ScreenOS plan for an upgrade as soon as is practical.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713

     

    Remember to read the new signing key warnings.  Your hardware may need the new signing key installed prior to upgrade to boot properly from the new images.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=TSB16495

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=TSB16496

     

     



  • 2.  RE: Critical ScreenOS Security Flaw: 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20.
    Best Answer

    Posted 12-20-2015 13:09

    I've created a short procedure list for the update and signing key check here.

     

    http://puluka.com/home/techtalknetworking/screenoscriticalsecurityissue2015.html



  • 3.  RE: Critical ScreenOS Security Flaw: 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20.

    Posted 04-09-2016 05:54

    Juniper has now completed the ScreenOS VPN updates with the removal of the DUAL_EC_DRBG and the ANSI X9.31 PRNG in ScreenOS 6.3r22

     

    http://forums.juniper.net/t5/Security-Incident-Response/Juniper-Networks-Completes-ScreenOS-Update/ba-p/290368

     

    Plan on downloading and updating systems accordingly.



  • 4.  RE: Critical ScreenOS Security Flaw: 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20.

    Posted 12-21-2015 12:21

    The JSA has updated but it may not be immediately obvious:

     

    The backdoor password is posted in plain-text online and can be found with a quick Google search.



  • 5.  RE: Critical ScreenOS Security Flaw: 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20.

    Posted 12-21-2015 12:36

    I have a question about this.  I have a few NS5GTs in the field that are running OS 6.2.0r17.  I know these are end of life and end of support but I'm wondering if they are vulnerable?  I noticed the OS version I have was taken off the downloads site for them but there isn't a replacement.  

     

    If they are vulnerable, what can I do to make them not?



  • 6.  RE: Critical ScreenOS Security Flaw: 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20.

    Posted 12-21-2015 12:39

    Call JTAC and reference this particular issue. They may be nice enough to compile and provide you with a fixed 6.2 version for the 5GT.



  • 7.  RE: Critical ScreenOS Security Flaw: 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20.

    Posted 12-21-2015 12:54

    Thanks.  It looks like they are going to do a support case for these and get authorization for this without support.  Thanks for suggesting this.



  • 8.  RE: Critical ScreenOS Security Flaw: 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20.

    Posted 12-21-2015 15:26
    Now that's a pretty cool result if I say so myself


  • 9.  RE: Critical ScreenOS Security Flaw: 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20.

    Posted 12-22-2015 06:28

    Very scary revelation on one of the vulnerabilities discovered (specifically the PRNG issue):

     

    http://blog.cryptographyengineering.com/2015/12/on-juniper-backdoor.html

     

    TL;DR: Taking advantage of the unauthorised modification to how ScreenOS generates cryptographic keying material relies on an even older bug, which may have been deliberately introduced to pave the way for exactly such a future backdoor.