Update: As of December 23rd, we have learned that even when the usernames are changed on an unpatched Juniper product, the device can still be compromised. Therefore, it is urgent that Juniper customers patch their devices immediately.
On December 17, Juniper Networks disclosed two backdoors in its ScreenOS software, which runs on its NetScreen Series enterprise firewalls.
The first backdoor (CVE-2015-7755) allows an attacker to log in with a hardcoded password using any existing user name via SSH or Telnet. The other (CVE-2015-7756) enables a “knowledgeable attacker” to decrypt VPN connections. (Details from Juniper can be found here: http://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554).
Juniper claims the discovery was made during a routine review of its software code. It is likely that some adversary has been caught using these backdoors, but we will probably never know for sure. Given the nature of these backdoors, it is unlikely that Juniper is the only security vendor affected. For this reason, all security products (i.e., not just Juniper) should be considered suspect.
Why the backdoors were in the software—and how they got there—are secondary concerns from NSS’ perspective. The most important question security administrators should be asking is “What do we do now?”.
NSS advises the following actions:
If you have additional questions, please reach out. We are here to help.
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.