Newsflash: Security Vulnerabilities with Juniper ScreenOS System

An unauthorized code in the ScreenOS system is causing illegitimate remote administrative access, and allowing a knowledgeable attacker to monitor and decrypt VPN traffic.

Explanation

  • Upon exploitation of the unauthorized administrative access, the log file would contain an entry that 'system' had logged on followed by password authentication for a username:

    Example:
    Normal login by user username1:
    2015-12-17 09:00:00 system warn 00515 Admin user username1 has logged on via SSH from ... .
    2015-12-17 09:00:00 system warn 00528 SSH: Password authentication successful for admin user 'username1' at host ... .

    Compromised login by user username2:
    2015-12-17 09:00:00 system warn 00515 Admin user system has logged on via SSH from ... .
    2015-12-17 09:00:00 system warn 00528 SSH: Password authentication successful for admin user 'username2' at host ... .

    Note that a skilled attacker would likely remove these entries from the local log file, thus effectively eliminating any reliable signature that the device had been compromised

    This issue only affects ScreenOS 6.3.0r17 through 6.3.0r20. No other Juniper products or versions of ScreenOS are affected by this issue.
     

  • As for the VPN decryption, there is no way to detect that this vulnerability was exploited.

    This issue affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20. No other Juniper products or versions of ScreenOS are affected by this issue.

Conclusion - Workaround

The following software releases have been updated to resolve these specific issues: ScreenOS 6.2.0r19, 6.3.0r21, and all subsequent releases.
Additionally, earlier affected releases of ScreenOS 6.3.0 have been respun to resolve these issues. Fixes are included in: 6.3.0r12b, 6.3.0r13b, 6.3.0r14b, 6.3.0r15b, 6.3.0r16b, 6.3.0r17b, 6.3.0r18b, 6.3.0r19b.
 
The customer is advised to upgrade to a fixed release to resolve these critical vulnerabilities.
An additional recommendation would be to use access lists or firewall filters to restrict the management access from only trusted, internal, administrative networks or hosts. No workaround or detection exists for the VPN decryption vulnerability. 
 
For more information and assistance please contact Infradata by phone +32 (0)2 801 08 30 or by mail support@infradata.be.