ISC’s infocon turns yellow to reflect critical impact of Juniper backdoors

SANS Institute’s Internet Storm Center has raised its infocon status – the status of the condition of the Internet infrastructure – from green to yellow, following the public revelation of two backdoors in Juniper’s NetScreen firewall devices, and the publication of the password that allows easy exploitation of one of them.

SANS ISC CTO Johannes Ullrich added two more reasons behind this decision: “Juniper devices are popular, and many organizations depend on them to defend their networks. With this week being a short week for many of us, addressing this issue today is critical.”

“There are two distinct issues,” he added. “First of all, affected devices can be accessed via telnet or ssh using a specific ‘backdoor’ password. This password can not be removed or changed unless you apply Juniper’s patch. Secondly, a purposely introduced weakness in the IPSEC encryption code allows an attacker familiar with the weakness to decrypt VPN traffic.”

Deploying the patches provided by Juniper is the only way to assure a secure environment, as there are no effective mitigations for the vulnerabilities.

To impress the seriousness of the issue, Ullrich also shared that SANS ISC’s ssh honeypots are already being targeted with the public exploits.

“Our honeypot doesn’t emulate ScreenOS beyond the login banner, so we do not know what the attackers are up to, but some of the attacks appear to be ‘manual’ in that we do see the attacker trying different commands,” he noted, and added that admins of devices that can be tracked down via Shodan (currently around 26,000 devices) can definitely expect attacks.

Also, there are ways to check whether your devices have already been exploited – Fox-IT has released several snort rules to help admins with that.

As a reminder: Juniper devices running ScreenOS 6.3.0r17 through 6.3.0r20 are affected by the fixed backdoor password (CVE-2015-7755), and those running ScreenOS 6.2.0r15 through 6.2.0r18 and ScreenOS 6.3.0r12 through 6.3.0r20 are affected by the VPN decryption vulnerability (CVE-2015-7756). Updating to version 6.3.0r21 is recommended.

Don't miss