Critical Vulnerabilities in Juniper ScreenOS

CVE-2015-7755
CVE-2015-7756

Juniper published information about 2 critical vulnerabilities in ScreenOS.

CVE-2015-7755 - Administrative Access.

Versions: ScreenOS 6.3.0.r17 through 6.3.0r20
This Vulnerability allows unauthorized remote administrative
access to the device (firewall with ScreenOS).

A password is Hard Coded and can be used to get access to the device by ssh or telnet using any valid account.

CVE-2015-7756 - VPN Decryption

Versions: ScreenOS 6.2.0.r15 through 6.2.0.r18 and 6.3.0r12 through 6.3.0r20
This vulnerability weakens the encryption of the VPN communication to easily decrypt it.

All the VPN traffic before the patch must be considered as compromised and all the connections done through the VPN in cleartext must be changed as soon as possible.

Remediations

Best way to fix the problem is to update the firmware with the patch provided by Juniper on their website. You can find the instructions on the following link: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search

If it is not possible to patch immediately, you should filter the access to this interface and allow only trusted sources.

All the VPN connection should be considered as unsafe and no more used before patching.

Investigations

If your system is in production, it is strongly recommended to check your connection logs and last modifications applied on the device.

As attackers have a admin access. Logs on the devices could be tampered or deleted. You should only trust central logging.

Detection

Snort rules have been published and are available on https://gist.github.com/fox-srt/ca94b350f2a91bd8ed3f