Securezoo Articles
Article Topics   
By Frank Crast, 12/22/2015

Late last week Juniper announced two critical vulnerabilities were discovered in its ScreenOS. The first vulnerability could lead to unauthorized remote administrative access to the device, such as via SSH or telnet. The second flaw could allow a skilled attacker to monitor and decrypt VPN traffic. Juniper has fixed both vulnerabilities in recent ScreenOS software updates. Other related stories have emerged on whether some companies have (or would be willing) to allow government back door access to its systems. 

Juniper released a 2015-12 Out of Cycle Security Bulletin for the two vulnerabilities that were discovered via an internal code review.

The first, Administrative Access (CVE-2015-7755), "allows unauthorized remote administrative access to the device. Exploitation of this vulnerability can lead to complete compromise of the affected device." 

The second, VPN Decryption (CVE-2015-7756), "may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic. It is independent of the first issue."

The patches are available via Juniper's software download site. 

Following the Juniper security announcement, Cisco wrote in a blog that the company will be proactively reviewing its products for any malicious modifications.

Cisco emphasizes it has a "no backdoor" policy: "Our development practices specifically prohibit any intentional behaviors or product features designed to allow unauthorized device or network access, exposure of sensitive device information, or a bypass of security features or restrictions."

Cisco also stated no indication of unauthorized software: "We have seen none of the indicators discussed in Juniper’s disclosure. Our products are the result of rigorous development practices that place security and trust at the fore. They also receive continuous scrutiny from Cisco engineers, our customers, and third party security researchers, contributing to product integrity and assurance."

In a related story, Apple's CEO Tim Cook says Apple has no intent to allow back doors to its products. Apple and other technology companies are under pressure from both privacy advocates, who don't want to allow government back door access, and security advocates who say encryption allows criminals to hide their communications from law enforcement.  

In an interview with CBS' 60 Minutes, Tim Cook stated, "I don't believe that the tradeoff here is privacy versus national security."

"There have been people that suggest that we should have a back door," he added. "But the reality is if you put a back door in, that back door's for everybody, for good guys and bad guys."

In another related article, see Bruce Schneier's blog "Back Door in Juniper Firewalls," that describes a possible presence of a backdoor-friendly RNG and also a technical overview of the SSH backdoor.

Topic: Network Security, Patch Management, Vulnerability Management