By now many in the network and security field will have heard about the announcement from Juniper. Juniper’s commentary about an internal code review identifying malicious code on their ScreenOS platform sparked a marked increase of hype on the Twittersphere. Everywhere ranging from the US Senate down to the local security administrator people have been commenting.
Anything from “Who put it there?”, “Why did they put it there?” and “How did it not get noticed?” have been asked. Was it China or the NSA? Do we know who? No we do not. Should we speculate? No we should not. Will we find out the truth? Not unless it is a controlled media statement. To be honest these things are currently above my pay grade and will stay that way.
So as a network administrator who used to manage (and has upgraded some old ones from my last work places) what should you do?
Lets review what is known to the public
- Juniper revealed they noticed additional and unauthorised code in the ScreenOS source. This has been in it since 2012.
- ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20
- VPN traffic passing through the device can be decrypted and subsequently inspected
- System access can be gained via any named account active on the device with the password <<< %s(un=’%s’) = %u
Instead of running around like a headless chook calling for blood there are some course of action to take:
- Is this firewall internet facing or have internet access? If not, plan and validate the risk profile. Plan to update the version. See 2 and 3.
- Juniper have released updated versions of the ScreenOS software. Update as soon as possible.
- IDS or SNORT rules to protect against any login by a system account which will generate the idea alert.
# Signatures to detect successful abuse of the Juniper backdoor password over telnet. # Additionally a signature for detecting world reachable ScreenOS devices over SSH. alert tcp $HOME_NET 23 -> any any (msg:"FOX-SRT - Flowbit - Juniper ScreenOS telnet (noalert)"; flow:established,to_client; content:"Remote Management Console|0d0a|"; offset:0; depth:27; flowbits:set,fox.juniper.screenos; flowbits:noalert; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; classtype:policy-violation; sid:21001729; rev:2;) alert tcp any any -> $HOME_NET 23 (msg:"FOX-SRT - Backdoor - Juniper ScreenOS telnet backdoor password attempt"; flow:established,to_server; flowbits:isset,fox.juniper.screenos; flowbits:set,fox.juniper.screenos.password; content:"|3c3c3c20257328756e3d2725732729203d202575|"; offset:0; fast_pattern; classtype:attempted-admin; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; sid:21001730; rev:2;) alert tcp $HOME_NET 23 -> any any (msg:"FOX-SRT - Backdoor - Juniper ScreenOS successful logon"; flow:established,to_client; flowbits:isset,fox.juniper.screenos.password; content:"-> "; isdataat:!1,relative; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; classtype:successful-admin; sid:21001731; rev:1;) alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"FOX-SRT - Policy - Juniper ScreenOS SSH world reachable"; flow:to_client,established; content:"SSH-2.0-NetScreen"; offset:0; depth:17; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; classtype:policy-violation; priority:1; sid:21001728; rev:1;)
Does this put a nail in the coffin of the Security business unit of Juniper? Probably not. What isn’t kosha is the fact that vendors are out for blood and throwing stones. I work for a software company. Network companies are evolving into software companies. I put this tweet out the other day
In the wake of @JuniperNetworks security brouhaha it would be wise for other vendors not to throw stones.
— Anthony Burke (@pandom_) December 21, 2015
Now more than ever we should be vigilant. We should work to better ourselves. United we stand and together we fall.
For some more reading this Wired article provides a great summary.