CVE-2015-7755:

Overview

Remediation

• Upgrade to a fixed ScreenOS release. Juniper provided patches; upgrade to 6.3.0r21 or later (or the vendor’s latest recommended version at the time) to mitigate the vulnerability. Plan the upgrade during a maintenance window, test in a lab environment first, and verify the fix in production.
• If immediate upgrade is not possible, restrict management access. Disable or tightly control SSH and TELNET access to management interfaces from untrusted networks. Use VPN or jump hosts and apply strict ACLs to limit who can reach the devices.
• Enforce strong authentication and monitor. Ensure administrative accounts use robust, unique passwords, enable multi-factor authentication where available, and monitor logs for unusual login attempts or successful administrative sessions.
• Validate post-remediation. After upgrading or applying mitigations, verify that remote admin access requires proper authentication and that devices no longer allow bypass via SSH/TELNET. Review configuration backups and perform a follow-up security assessment.
• Consider ongoing hardening. Regularly apply vendor security advisories, keep firmware up to date, and implement network segmentation to minimize exposure of management interfaces.

References

• - Ars Technica: Unauthorized code in Juniper firewalls decrypts encrypted VPN traffic. https://arstechnica.com/security/2015/12/unauthorized-code-in-juniper-firewalls-decrypts-encrypted-vpn-traffic/
• - Wired: Juniper Networks hidden backdoors show the risk of government backdoors. https://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors/
• - SecurityTracker: 1034489 entry. http://www.securitytracker.com/id/1034489
• - CERT-VN: VU#640184. http://www.kb.cert.org/vuls/id/640184
• - Juniper Forums: Important Announcement about ScreenOS. https://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554
• - GitHub: juniper-cve-2015-7755. https://github.com/hdm/juniper-cve-2015-7755
• - Juniper JSA10713: Knowledge base entry. http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713
• - Twitter: cryptoron status. http://twitter.com/cryptoron/statuses/677900647560253442
• - Adam Caudill: Much Ado About Juniper. https://adamcaudill.com/2015/12/17/much-ado-about-juniper/
• - Forbes: Juniper says it didn’t work with government to add unauthorized code to network gear. http://www.forbes.com/sites/thomasbrewster/2015/12/18/juniper-says-it-didnt-work-with-government-to-add-unauthorized-code-to-network-gear/
• - SecurityFocus BID: 79626. http://www.securityfocus.com/bid/79626