Security Incident Response
Showing results for 
Search instead for 
Do you mean 

Important Announcement about ScreenOS®

by Juniper Employee ‎12-17-2015 09:02 AM - edited ‎12-21-2015 08:40 AM

IMPORTANT JUNIPER SECURITY ANNOUNCEMENT

 

CUSTOMER UPDATE: DECEMBER 20, 2015

 

Administrative Access (CVE-2015-7755) only affects ScreenOS 6.3.0r17 through 6.3.0r20. VPN Decryption (CVE-2015-7756) only affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20.

 

We strongly recommend that all customers update their systems and apply these patched releases with the highest priority.

 

POSTED BY BOB WORRALL, SVP CHIEF INFORMATION OFFICER ON DECEMBER 17, 2015

 

 

Juniper is committed to maintaining the integrity and security of our products and wanted to make customers aware of critical patched releases we are issuing today to address vulnerabilities in devices running ScreenOS® software. 

 

During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen® devices and to decrypt VPN connections. Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS.

 

At this time, we have not received any reports of these vulnerabilities being exploited; however, we strongly recommend that customers update their systems and apply the patched releases with the highest priority.

 

On behalf of the entire Juniper Security Response Team, please know that we take this matter very seriously and are making every effort to address these issues. More information and guidance on applying this update to systems can be found in the Juniper Security Advisories (JSAs) available on our Security Incident Response website at http://advisory.juniper.net.  

 

Bob Worrall

SVP Chief Information Officer

 

Q: Why did this issue require an out-of-cycle security advisory?
Juniper is committed to maintaining the integrity and security of our products. Consistent with industry best practices, this means releasing patches for products in a timely manner to maintain customer security. We believed that it was in our customers’ best interest to issue these patched releases with the highest priority.

 

We strongly recommend that all customers update their systems and apply these patched releases as soon as possible.

 

Q: What devices do these issues impact?

Administrative access (CVE-2015-7755) only affects devices running ScreenOS 6.3.0r17 through 6.3.0r20.

VPN Decryption (CVE-2015-7756) only affects devices running ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20.

We strongly recommend that all customers update their systems and apply the patched releases with the highest priority

 

Q: Is the SRX or any other Junos®-based system affected by these issues?

These vulnerabilities are specific to ScreenOS. We have no evidence that the SRX or other devices running Junos are impacted at this time.

 

Q: Who can I contact if I have additional questions about my system?

Customers with questions about their systems should e-mail us at sirt@juniper.net

 

 

 

 

 

Comments
by ralvarado@clearslide.com
on ‎12-17-2015 04:12 PM

Hello,  Are there a workaround for the decrypting vpn connections part of the vulnerablity? 

 

Thanks,

-Rico 

by digger33
‎12-17-2015 05:13 PM - edited ‎12-17-2015 05:17 PM

The original version of this article mentioned username 'system'; was this in error, or was it removed for some other reason? How can customers identify a successful attack through the logs?

 

Update: Found the reference, it was in the KB, not the advisory: https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&cat=SIRT_1&actp=LIST&smlogin=true

by sebastianw
on ‎12-18-2015 12:45 AM

I'm curious about how that code was added and who added it? Will there be further information?

by zauber
on ‎12-18-2015 06:05 AM

Hello!

 

In regards to "unauthorized remote administrative access to the device over SSH or telnet", is it safe to assume that if we restrict access through those ports, we are implementing a workaround?

For some companies, this time of the year is critical, so patching could be an issue.  So in order to prevent this unauthorized access, we can restrict access and patch later.

 

Thank you....

by gleduc@mail.sdsu.edu
on ‎12-18-2015 08:52 AM

Does exploitation require that management be enabled on an exposed interface?

 

by jonesdnet
on ‎12-18-2015 09:15 AM

I am curious if there is a more detailed document on the issues than the JSA.  For one, I assume the SSH/Telnet access issue is dependent on whether that access is allowed in the first place.  Basically, if Untrust doesn't have SSH or Telnet enabled I assume the vulnerability isn't an issue for that zone.  Does FIPS mode affect this at all?  For the VPN issue, is this only VPNs using PSKs or does it also affect VPNs using PKI certificates?  Is it an issue with the ASIC used to offload crypto functions or something in software?

by Iceberg
on ‎12-18-2015 09:21 AM
Need more info about VPN vulnerability, what are the conditions for it to be exploited? Is it in the same CVE or different one?!
by przema86
on ‎12-18-2015 11:52 AM

it is good that you are saying it.. but in general.. "Juniper discovered unauthorized code in ScreenOS"

 

what a shame, Juniper... what a shame....

by Distinguished Expert
on ‎12-20-2015 01:07 PM

I suggest adding a prominent note on the vulnerability announcment that reminds users the signing key for ScreenOS images changed in August of 2014.  Administrators must be careful that their device has the new key installed already or they will need to add this key BEFORE upgrading to the new firmware.

 

I have more details here:

 

http://puluka.com/home/techtalknetworking/screenoscriticalsecurityissue2015.html

 

Please add the reminder and links to the signing key documents to this announcement.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713

 

Signing Key documentation:

 

http://kb.juniper.net/InfoCenter/index?page=content&id=TSB16495

 

http://kb.juniper.net/InfoCenter/index?page=content&id=TSB16496

 

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV JNCIS-SSL JNCDA
ACE PanOS 6
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home

by
on ‎12-20-2015 04:22 PM

I would like to reiterate the message from Steve Puluka above. Customers should be very clearly reminded that it is important that they check the correct signing key is installed before attempting to upgrade to the recommended version of ScreenOS. A failure to do so may result in them inadvertently taking their devices offline. I would suggest highlighting this within JSA10713 in large bold red font.

by Juniper Employee
on ‎12-20-2015 06:44 PM

Hi, Can the "set admin manager-ip x.x.x.x/y" setting on firewall restrict the unauthorized "system" user login the device? Or we can only upgrade the screenos to avoid it? thanks.