Juniper Networks ScreenOS Backdoor
01/15/16 Category: Security
Juniper announced that certain versions of ScreenOS (used on Juniper Networks SSG firewalls) have multiple security issues.
While there is still a sparsity of information about how this happened, who is responsible, and when or if we'll ever be told, we can only make some worse case assumptions about why the information hasn't been released. Rumors are out there about nation state involvement and even our own country can't be ruled out at this time. It wouldn't be the first time that our government wasn't aware of the risk of releasing something into the wild and blow back implications.
What to do?
Check Juniper KB JSA10713 for further information, you will need a support login for that link. This relates to two CVEs: CVE-2015-7755 and CVE-2015-7756.
Basically the versions ScreenOS 6.3.0r17 through 6.3.0r20 should immediately be upgraded or downgraded. Juniper says it only affects those versions but spot checks indicate a lot of firewalls on the internet remain at risk by running those noted versions.
Juniper Networks has indicated that anyone with a support login (with or without current support on their ScreenOS platform) can get a new ScreenOS version image.
Juniper has not proactively contacted all registered owners that I know of. That's a shame, they certainly know the Email addresses of all the registered firewall users.
Consider a firewall replacement… We can't assume that other releases are secure of other vulnerabilities, We cannot assume that without additional details that further issues haven't been affecting other Juniper products or any other manufacturers for that matter. Sometimes where there's smoke there's fire.
Please note there is no way to detect if the vulnerabilities have been exploited.
Consider not purchasing Juniper firewalls for now until further information is made available. Partially just in response to their lack of releasing details.
As always, minimize the footprint of any attack surface by not making services available to the outside that shouldn't be (ssh as one example), further restrict by using permitted IPs when possible and consider more aggressive methods like firewall sandwiching (see subsequent future articles on this blog).