The Internet Storm Center has upgraded its warning about the corruption of Juniper ScreenOS firewalls to yellow, which means it’s imperative to patch them today, literally, given that details on how to exploit the flaws has been published and that it’s a holiday week when applying firewall patches can be easily overlooked.
According to the ISC warning, the upgraded yellow warning was made because Juniper’s NetScreen firewalls are popular and that the “'backdoor’ password is now known, and exploitation is trivial at this point,” and for most businesses, this “being a short week for many of us, addressing this issue today is critical.”
Juniper owned up last week to unauthorized code being present saying its ScreenOS enables two exploits. The first is a password – <<< %s(un='%s') = %u – see that works with any valid username. The second is a vulnerability in the version of the IPSec encryption code used by the machines that enables decrypting the VPN traffic.
Disabling the universal backdoor password is impossible without applying the patches, the ISC says. It’s easy to figure out if a machine needs the update: try out the universal password with a valid username. Or just compare the ScreenOS version on the macine with the list of vulnerable versions, ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20.
Detecting whether anyone exploited the vulnerabilities on particular machines is more complicated and less sure, ISC says, because it calls for checking login logs, and the unauthorized entries look just like the legitimate ones.
The first suggestion is for checking telnet logins. It calls for following snort rules published by security consulting firm FoxIT, which detect telnet sessions that have been established with the devices. If there are such sessions, the rules then look for the telltale password.
A second flaw that allows SSH logins is also addressed, but differently because the password is encrypted. In that case the rules finds all the SSH logins and searches for “the typical NetScreen SSH banner,” ISC says.
Meanwhile, Juniper has remained silent about the problem since its initial disclosure last week, leaving unanswered some important questions.
Customers understandably want to know how the unauthorized code got into the operating system for a security device in the first place, shipping with every unit. And how did it go undetected for so long, at least two years by most accounts?
The implication is that VPN traffic customers was secure actually wasn’t because, at the very least, whoever sabotaged the IPSec encryption code could decrypt it. A second problem is that the devices could be used as a way in to infiltrate networks in hopes of stealing data or causing damage.
Sign up for CIO Asia eNewsletters.