Juniper ScreenOS firmware hid backdoors
Juniper disclosed that unauthorized code entered official ScreenOS firmware for NetScreen firewalls. CVE-2015-7755 opened hidden SSH/Telnet admin access; CVE-2015-7756 could let an observer decrypt VPN traffic.
Story
The Juniper ScreenOS incident was not a normal bug disclosure. Juniper said an internal review found unauthorized code in ScreenOS, the operating system for NetScreen firewalls. The affected firmware was official vendor firmware, distributed through the normal ScreenOS channel, and the product sat directly on network boundaries.
CVE-2015-7755 was the administrative-access backdoor. Rapid7 and Fox-IT analysis found an authentication path in SSH and Telnet that compared the supplied password against the string <<< %s(un='%s') = %u. The string looked like a format string, but on vulnerable builds it was a master password: any username could reach an administrative shell with the highest privileges.
CVE-2015-7756 was a separate VPN decryption vulnerability. Juniper described it as independent of the authentication bypass. Public cryptographic analysis tied it to ScreenOS random-number generation, Dual_EC_DRBG, and a changed Q parameter. The attacker did not need a large code change; replacing the parameter was enough if the holder of the corresponding secret could see the right output.
The deeper lesson was that ScreenOS already carried dangerous cryptographic structure. Dual_EC output was meant to be hidden behind an ANSI X9.17 generator, but researchers found paths where raw output could surface. The unauthorized parameter change then turned weak plumbing into a practical passive decryption path for VPN traffic.
Affected Artifacts
- Observed
- 2013-12-01 to 2015-12-17
- Compromised Versions
- Fixed
- 6.3.0r21
- Evidence
- distribution: supportportal.juniper.net/s/article/2015-12-Out-of-Cycle-Security-Bulletin-ScreenOS-Multiple-Security-issues-with-ScreenOS-CVE-2015-7755-CVE-2015-7756, mirror: rapid7.com/blog/post/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor, cve: CVE-2015-7755, string: <<< %s(un='%s') = %u , +4 more
- Juniper's original bulletin and CVE text list a broader affected range; Rapid7 reported that the authentication backdoor was not present in earlier 6.2.0 and 6.3.0 samples it examined, and noted Juniper confirmation for 6.3.0r17 through 6.3.0r20.
- Rapid7 estimated about 26,000 internet-facing NetScreen devices with SSH open shortly after disclosure.
- Observed
- 2012-09-01 to 2015-12-17
- Compromised Versions
- Evidence
- distribution: supportportal.juniper.net/s/article/2015-12-Out-of-Cycle-Security-Bulletin-ScreenOS-Multiple-Security-issues-with-ScreenOS-CVE-2015-7755-CVE-2015-7756, mirror: wired.com/2015/12/researchers-solve-the-juniper-mystery-and-they-say-its-partially-the-nsas-fault, cve: CVE-2015-7756, crypto: Dual_EC_DRBG , +1 more
- Juniper described CVE-2015-7756 as independent of the administrative-access issue.
- Public analysis connected the weakness to ScreenOS random number generation and the replacement of the Dual_EC_DRBG Q parameter.
- Matthew Green summarized the public cryptographic analysis: the 2012 change appeared to replace the Dual_EC Q value and test vectors, letting an attacker piggyback on an existing ScreenOS design weakness rather than add a large new decryption module.
Incident Context
- Motive
- Espionage
- Attribution
- State
- Cause
- Source Code Compromise
- Transitive
- No
- Actor
- Nation-state
External References
- 2015-12 Out of Cycle Security Bulletin: ScreenOS: Multiple Security issues with ScreenOSsupportportal.juniper.net
- CVE-2015-7755: Juniper ScreenOS Authentication Backdoorrapid7.com
- TROJAN: Juniper ScreenOS Telnet Backdoor Password Attemptjuniper.net
- Researchers Solve the Juniper Mystery and They Say It's Partially the NSA's Faultwired.com
- Deep dive into CVE-2015-7755 Juniper ScreenOS authentication backdoorblog.fox-it.com
- Juniper ScreenOS contains multiple vulnerabilitieskb.cert.org
- On the Juniper backdoorblog.cryptographyengineering.com
Source record: proprietary/juniper-screenos/meta.yaml