Vulnerability in Juniper ScreenOS

Number: AL15-016
Date: 21 December 2015

Purpose

The purpose of this alert is to bring attention to additional information made recently available concerning the disclosed vulnerability in Juniper ScreenOS.

Assessment

CCIRC is aware of additional, publicly available information concerning the recently disclosed vulnerability in Juniper ScreenOS. The information contains the backdoor password for affected Juniper devices which would allow an attacker to gain shell access with elevated privileges. As a result, CCIRC would like to raise awareness concerning this potentially serious vulnerability.

Suggested action

Due to the elevated risk that this vulnerability presents, CCIRC recommends that system administrators test and deploy the vendor-released updates to affected devices accordingly. CCIRC recommends that priority is given to these patches.

The Snort signatures below were released by FoxIT security and can be used to detect exploit attempts. Telnet login attempts using the disclosed backdoor password will trigger an alert for both login attempts and successful logins. An alert is triggered for all SSH login attempts (including legitimate traffic).

alert tcp $HOME_NET 23 -> any any (msg:"FOX-SRT - Flowbit - Juniper ScreenOS telnet (noalert)"; flow:established,to_client; content:"Remote Management Console|0d0a|"; offset:0; depth:27; flowbits:set,fox.juniper.screenos; flowbits:noalert; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; classtype:policy-violation; sid:21001729; rev:2;)

alert tcp any any -> $HOME_NET 23 (msg:"FOX-SRT - Backdoor - Juniper ScreenOS telnet backdoor password attempt"; flow:established,to_server; flowbits:isset,fox.juniper.screenos; flowbits:set,fox.juniper.screenos.password; content:"|3c3c3c20257328756e3d2725732729203d202575|"; offset:0; fast_pattern; classtype:attempted-admin; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; sid:21001730; rev:2;)

alert tcp $HOME_NET 23 -> any any (msg:"FOX-SRT - Backdoor - Juniper ScreenOS successful logon"; flow:established,to_client; flowbits:isset,fox.juniper.screenos.password; content:"-> "; isdataat:!1,relative; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; classtype:successful-admin; sid:21001731; rev:1;)

alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"FOX-SRT - Policy - Juniper ScreenOS SSH world reachable"; flow:to_client,established; content:"SSH-2.0-NetScreen"; offset:0; depth:17; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; classtype:policy-violation; priority:1; sid:21001728; rev:1;)

References

CCIRC Advisory AV15-126: Juniper 2015-12 Out of Cycle Security Bulletin
http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2015/av15-126-en.aspx

Rapid7 Blog - CVE-2015-7755: Juniper ScreenOS Authentication Backdoor
https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor

SANS (ISC) - Infocon Yellow: Juniper Backdoor (CVE-2015-7755 and CVE-2015-7756)
https://isc.sans.edu/diary.html?n&storyid=20521

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: