A honeypot set up by researchers has shown that attackers have already attempted to exploit a recently disclosed vulnerability that can be used to gain administrative access to Juniper Networks’ NetScreen firewalls.
Juniper Networks warned customers last week that it had identified unauthorized code in some versions of the ScreenOS operating system running on NetScreen devices. This code has been found to introduce two vulnerabilities: one that can be exploited to remotely gain administrative access to a device via telnet or SSH (CVE-2015-7755), and one that can be leveraged by an attacker with access to VPN connections to decrypt VPN traffic (CVE-2015-7756).
Security experts have analyzed the code changes between the vulnerable and patched versions of ScreenOS and determined that the remote admin access was likely possible due to a default password disguised in the code as a debug string. It took Fox-IT researchers only six hours to find the password.
Exploit Attempts in the Wild
Researchers at the SANS Technology Institute’s Internet Storm Center (ISC) have deployed a honeypot designed to emulate ScreenOS. Attackers have been using the backdoor password disclosed earlier this week in an attempt to access the honeypot via SSH.
“Our honeypot doesn’t emulate ScreenOS beyond the login banner, so we do not know what the attackers are up to, but some of the attacks appear to be ‘manual’ in that we do see the attacker trying different commands,” said Johannes Ullrich, dean of research at the SANS Technology Institute.
The SANS Institute’s honeypots detected tens of exploit attempts, most of which used the usernames “root” and “admin.” Other usernames seen by experts include “netscreen,” “login,” “administrator,” “test” and “system.”
Of the 78 attempts recorded in a five-hour timeframe, two dozen came from an IP address in a range owned by a Netherlands-based media and communications services provider. One of the IPs belongs to security firm Qualys and the request is most likely part of the company’s research efforts.
The authentication bypass flaw impacts ScreenOS 6.3.0r17 through 6.3.0r20 and is believed to have been introduced sometime in late 2013. The VPN decryption issue affects ScreenOS versions 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 and appears to have been introduced in 2012.
Several experts have conducted an analysis of the authentication vulnerability and discovered that its root cause is a default password, “<<< %s(un=’%s’) = %u,” that can be exploited by an attacker who knows a valid username to gain admin access.
Once an attacker hacks into a device, they can remove the log entries to cover their tracks. However, as experts highlighted, if logs are monitored by a security information and event management (SIEM) product or other security solutions, an attack attempt could trigger alerts.
Rapid7’s HD Moore reported that there are roughly 26,000 NetScreen devices accessible via the Internet.
The VPN vulnerability is believed to be related to the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG), which is used by ScreenOS as a pseudo-random number generator (PRNG). Dual EC DRBG is known to contain a backdoor, but Juniper noted that it hasn’t used it as the primary RNG and it changed the pre-defined elliptic curve points cited by NIST, which should mitigate security risks.
Experts pointed out that while Juniper might have changed one of the points to make the system secure, someone appears to have broken into the networking company’s systems and changed the point again.
Ralf-Philipp Weinmann, founder and CEO of research and consulting company Comsecuris, told Wired that passively decrypting VPN traffic is possible due to a combination of inherent weaknesses in Dual EC, the changed point, and a configuration problem introduced by Juniper. The expert believes the patch released by Juniper doesn’t properly address the problem.
NSA or Foreign Government
The theory that the U.S. National Security Agency might be responsible for the ScreenOS backdoor is partly based on older reports claiming that the agency had targeted Juniper products.
Furthermore, the vulnerable Dual EC standard is said to be an NSA effort to introduce a backdoored PRNG. The backdoor allows an attacker who possesses a secret key to predict future output.
The NSA reportedly paid RSA $10 million to get the company to use Dual EC by default in one of its toolkits.
CNN reported last week that U.S. officials are concerned that the Juniper backdoor could be the work of a foreign government, which has triggered an FBI investigation.
As Google security engineer Adam Langley and others have pointed out, it’s possible that another entity and not the NSA is behind the incident. However, by introducing the backdoor in Dual EC, the agency “laid the groundwork for someone else to attack US interests.”
Cisco Products Reviewed
After news of the unauthorized code broke, networking giant Cisco decided to review its own products for malicious changes. For the time being, the company says it hasn’t seen any of the indicators detailed in Juniper’s disclosure, but the company will be conducting a thorough analysis.
“Although our normal practices should detect unauthorized software, we recognize that no process can eliminate all risk,” Cisco’s Anthony Grieco said. “Our additional review includes penetration testing and code reviews by engineers with deep networking and cryptography experience.”