JunOS/ScreenOS Vulnerability Helps to Emphasize the Importance of Remote Log Storage
Article written by: Adam Hall -
2015-12-17 09:00:00 system warn 00515 Admin user username1 has logged on via SSH from
2015-12-17 09:00:00 system warn 00528 SSH: Password authentication successful for admin user ‘username1’ at host
According to the above log, user ‘username1’ has logged into a machine as an admin. This user is not a valid admin.
CVE-2015-7755 is a Juniper ScreenOS vulnerability that affects multiple versions of ScreenOS. This vulnerability allows remote attackers to obtain administrative access by entering an unspecified password during a SSH or TELNET session. This vulnerability can lead to ‘complete compromise of the affected device’ (Juniper Networks Inc., 2015). According to rapid7, there is a strcmp call being made that compares a password to a backdoor password… this allows for an attacker to bypass authentication through SSH and Telnet using any username (hdmoore, 2015). Versions affected include ScreenOS 6.2.0r15 – 6.2.0r18 and 6.3.0r12 – 6.3.0r20. Juniper recommends patching systems as soon as possible. This vulnerability is of a high concern, as the backdoor password has been released to the public!
CVE-2015-7756 is a Juniper ScreenOS vulnerability that affects the same versions as CVE-2015-7755, but the two vulnerabilities are not dependent on one another. CVE-2015-7766 provides the ability for an attacker to decrypt the VPN traffic.
Quadrant has deployed rules which can help to detect CVE-2015-7755 exploitation. These rules can be downloaded from https://github.com/beave/sagan-rules/blob/master/juniper.rules and https://github.com/beave/sagan-rules/blob/master/juniper-geoip.rules. The links to Quadrants rules are also available from https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor.
While these rules can be applied and used now and going forward, Quadrant can also retroactively apply these rules to previous log data to determine if our clients have already been exposed. Quadrant can also leverage its use of Bro to parse through the available Bro logs to search SSH and Telnet traffic specifically.
According to Juniper and their CVE-2015-7755 vulnerability, ‘a skilled attacker would remove these entries from the local log file, thus eliminating any reliable signature that the device had been compromised’ (Juniper Networks Inc., 2015). The best defense for this attack and many others is to use remote log storage. While the attacker may be able to delete the local logs, the attacker cannot delete the storage of the remote log. Using a company like Quadrant and storing logs on our Sagan device will provide your network with the type of log security that would be able to help defend against this type of attack. Even if an attacker were to stop the device from sending logs, a log would still be sent to notify that the device has stopped log forwarding.
hdmoore. (2015, December 20). CVE-2015-7755: Juniper ScreenOS Authentication Backdoor. Retrieved from community.rapid7.com: https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor
Juniper Networks Inc. (2015, December). 2015-12 Out of Cycle Secruity Bulletin: ScreenOS: Multiple Security issues with ScreenOS (CVE-2015-7755, CVE-2015-7756). Retrieved from kb.juniper.net: kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search