-
Notifications
You must be signed in to change notification settings - Fork 14
/
cmty-ssh-default-account-admin-password-juniperbackdoor.xml
52 lines (45 loc) · 3.36 KB
/
cmty-ssh-default-account-admin-password-juniperbackdoor.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
<?xml version="1.0" encoding="UTF-8"?>
<Vulnerability id="cmty-ssh-default-account-admin-password-juniperbackdoor" published="2016-09-26" added="2016-09-26" modified="2016-09-26" version="1.0">
<name>Default ssh account: admin password <![CDATA["<<< %s(un='%s') = %u"]]></name>
<severity>10</severity>
<cvss>(AV:N/AC:L/Au:N/C:C/I:C/A:C)</cvss>
<Tags>
<tag>Default Account</tag>
<tag>SSH</tag>
</Tags>
<AlternateIds>
<id name="CVE">CVE-2015-7755</id>
<id name="URL">https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor</id>
</AlternateIds>
<Description>
<p>The admin account uses a password of <![CDATA[<<< %s(un='%s') = %u]]>. This would allow
anyone to log into the machine via SSH and take complete
control.</p>
<p>On December 18th, 2015 Juniper issued an advisory indicating that they had discovered unauthorized code in the ScreenOS software that powers their Netscreen firewalls. This advisory covered two distinct issues; a backdoor in the VPN implementation that allows a passive eavesdropper to decrypt traffic and a second backdoor that allows an attacker to bypass authentication in the SSH and Telnet daemons. Shortly after Juniper posted the advisory, an employee of Fox-IT stated that they were able to identify the backdoor password in six hours. - hdmoore
</p>
<p> The following software releases have been updated to resolve these specific issues: ScreenOS 6.2.0r19, 6.3.0r21, and all subsequent releases.
Additionally, earlier affected releases of ScreenOS 6.3.0 have been respun to resolve these issues. Fixes are included in: 6.3.0r12b, 6.3.0r13b, 6.3.0r14b, 6.3.0r15b, 6.3.0r16b, 6.3.0r17b, 6.3.0r18b, 6.3.0r19b.
All affected software releases on http://www.juniper.net/support/downloads/screenos.html have been updated with these fixes.
KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.</p>
</Description>
<Solutions>
<Solution id="cmty-ssh-default-account-admin-password-juniperbackdoor" time="15m">
<summary>Fix Default SSH account: admin password: <![CDATA[<<< %s(un='%s') = %u]]></summary>
<workaround>
<p>
The Juniper SIRT strongly recommends upgrading to a fixed release (in Solution section above) to resolve these critical vulnerabilities.
CVE-2015-7755 (unauthorized access) Mitigation
Restricting management access to only trusted management networks and hosts will help mitigate this issue. The attack can only be executed from a location where a legitimate management login would be permitted.
CVE-2015-7756 (VPN decryption) Mitigation
No workaround or detection exists for the VPN decryption vulnerability.
Security Best Current Practice (BCP)
In addition to the recommendations listed above, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit management access to the device only from trusted, internal, administrative networks or hosts.
</p>
<p>
How to obtain fixed software:
ScreenOS software releases are available at http://www.juniper.net/support/downloads/screenos.html
</p>
</workaround>
</Solution>
</Solutions>
</Vulnerability>