Two critical vulnerabilities were discovered in Juniper equipment (from ScreenOS 6.3.0r17 through 6.3.0r20). The vulnerability CVE-2015-7755 allows unauthorized access to the remote administration of the devices without prior knowledge, beside the username. The attacker can take full control of the devices. The vulnerability CVE-2015-7756 allows passive attackers to monitor VPN encrypted traffic and decrypt all the traffic without prior knowledge of the key materials.
- Juniper devices using ScreenOS 6.3.0r17 (April 2014) through 6.3.0r20 (December 2015) for CVE-2015-7755.
- Juniper devices using ScreenOS 6.2.0r15 (September 2012) through 6.3.0r20 (December 2015) for CVE-2015-7756.
- Other juniper products not relying on ScreenOS
Details on the Vulnerability
Both security issues were discovered by Juniper during an internal code review. The initial publication was on 17th December 2015.
On 20th December 2015, the default password used by the backdoor has been found within a couple of days by multiple teams, and published by Rapid7 so it is exploited by multiple attackers, making the update a mandatory requirement.
Applying the updated firmwares provided by Juniper as soon as possible. Software updates are available at the Juniper’s support website. We also recommend to calculate the SHA1 fingerprint for the downloaded firmware and compare it with the list provided by Juniper.
If it is not possible to upgrade immediately, a temporary mitigation for CVE-2015-7755 is to filter access to the activated administration ports, especially telnet/ssh session and limit the access to a set of trusted sources. As the credentials are publicly known, the probability of devices being compromised is high.
There is no way to mitigate CVE-2015-7756.
If the vulnerable systems were in production, it is strongly recommended to investigate the connection logs, but if they were not sent to a centralized logging system, it is also safe to assume they may have been tempered by potential attackers during an attack.
Another recommendation is to use the Snort rules provided by Fox-IT in order to detect the following:
- Successful login over telnet using the backdoor
- Tentatives to contact ScreenOS devices over SSH (the false positives rate might be high)
Important note: All prior traffic relying on those vulnerable VPNs should be considered compromised, which can lead to further compromising in the infrastructure. As an example, if users may have sent credentials in clear over the vulnerable encrypted VPN, it is recommended to change those credentials and to further investigate for potential exploitation and compromise. Note that it is possible to decrypt recorded network traffic from packet captures.
- 2015-12 Out of Cycle Security Bulletin: ScreenOS: Multiple Security issues with ScreenOS (CVE-2015-7755, CVE-2015-7756)
- First Exploit Attempts For Juniper Backdoor Against Honeypot
Classification of this document
TLP:WHITE information may be distributed without restriction, subject to copyright controls.
- Version 1.0 - TLP:WHITE - First version - 21 December 2015