[CVE-2015-7755] Backdoor in Juniper/ScreenOS
http://forums.juniper.net/t5/Security-Incident-Response/Important-Announceme... https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&cat=SIRT_1&actp=LIST Should we blame Juniper for letting a git repository open to "unauthorized code" or should we congratulate them for their frankness (few corporations would have admitted the problem)?
Am Freitag, 18. Dezember 2015, 09:28:11 schrieb Stephane Bortzmeyer:
http://forums.juniper.net/t5/Security-Incident-Response/Important-Announceme nt-about-ScreenOS/ba-p/285554
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&cat= SIRT_1
&actp=LIST
Should we blame Juniper for letting a git repository open to "unauthorized code" or should we congratulate them for their frankness (few corporations would have admitted the problem)?
I think we should do both, even if it would be interessting to know how long the problem already exists.
I think "unauthorized code" is still plausible newspeak for "bug". Why blame finger foo when you can blame terrorists?
On 18 Dec 2015, at 7:28, Dave Taht wrote:
I think "unauthorized code" is still plausible newspeak for "bug".
Why blame finger foo when you can blame terrorists?
It looks like two different holes, one a back door for unauthorized console login and one to somehow leak VPN encryption keys. There are hints that that latter involved tinkering with certain constants in the crypto (https://twitter.com/matthew_d_green/status/677871004354371584); that would squarely point the finger at some government's intelligence agency. I don't know who did it, but neither 'bug' nor 'developer debugging code' sounds plausible here.
On 18 Dec 2015, at 11:52, Steven M. Bellovin wrote:
On 18 Dec 2015, at 7:28, Dave Taht wrote:
I think "unauthorized code" is still plausible newspeak for "bug".
Why blame finger foo when you can blame terrorists?
It looks like two different holes, one a back door for unauthorized console login and one to somehow leak VPN encryption keys. There are hints that that latter involved tinkering with certain constants in the crypto (https://twitter.com/matthew_d_green/status/677871004354371584); that would squarely point the finger at some government's intelligence agency.
I don't know who did it, but neither 'bug' nor 'developer debugging code' sounds plausible here.
On Fri, Dec 18, 2015 at 8:03 AM, Steven M. Bellovin <smb@cs.columbia.edu> wrote:
On 18 Dec 2015, at 11:52, Steven M. Bellovin wrote:
On 18 Dec 2015, at 7:28, Dave Taht wrote:
I think "unauthorized code" is still plausible newspeak for "bug".
Why blame finger foo when you can blame terrorists?
It looks like two different holes, one a back door for unauthorized console login and one to somehow leak VPN encryption keys. There are hints that that latter involved tinkering with certain constants in the crypto (https://twitter.com/matthew_d_green/status/677871004354371584); that would squarely point the finger at some government's intelligence agency.
I don't know who did it, but neither 'bug' nor 'developer debugging code' sounds plausible here.
That tweet got deleted, apparently to redraft/correct; is this the equivalent? https://twitter.com/sweis/status/677897914643976193 https://gist.github.com/hdm/107614ea292e856faa81#file-ssg500-6-3-0r12-0-diff... Royce
Yes. He's backing off a bit on the claim, since he doesn't have full context. --Steve Bellovin, https://www.cs.columbia.edu/~smb Sent from from a handheld; please excuse tyops
On Dec 18, 2015, at 12:27 PM, Royce Williams <royce@techsolvency.com> wrote:
On Fri, Dec 18, 2015 at 8:03 AM, Steven M. Bellovin <smb@cs.columbia.edu> wrote:
On 18 Dec 2015, at 11:52, Steven M. Bellovin wrote:
On 18 Dec 2015, at 7:28, Dave Taht wrote:
I think "unauthorized code" is still plausible newspeak for "bug".
Why blame finger foo when you can blame terrorists?
It looks like two different holes, one a back door for unauthorized console login and one to somehow leak VPN encryption keys. There are hints that that latter involved tinkering with certain constants in the crypto (https://twitter.com/matthew_d_green/status/677871004354371584); that would squarely point the finger at some government's intelligence agency.
I don't know who did it, but neither 'bug' nor 'developer debugging code' sounds plausible here.
That tweet got deleted, apparently to redraft/correct; is this the equivalent?
https://twitter.com/sweis/status/677897914643976193 https://gist.github.com/hdm/107614ea292e856faa81#file-ssg500-6-3-0r12-0-diff...
Royce
Hi,
Should we blame Juniper for letting a git repository open to "unauthorized code" or should we congratulate them for their frankness (few corporations would have admitted the problem)?
'un-authorized' - not authorized. this could be code/idea by some/one engineer for eg debugging purpose etc that just didnt get ANY signoff by anyone - so during code review they've questioned its presence and not found the relevant sign-off etc. take VW here...they are now blaming a small set of engineers who rigged the emissions system....if they can say that no managers/execs knew about this and it was purely in some small code team etc then that too is unauthorized code - but its internal, not an external bad guy (it will be interesting however, in that case, whether that really was the case and it WASNT known about by someone else...thus 'authorized' in that it wasnt stopped) alan
On Fri, Dec 18, 2015 at 09:28:11AM +0100, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote a message of 6 lines which said:
http://forums.juniper.net/t5/Security-Incident-Response/Important-Announceme...
The password for the first backdoor (the one regarding telnet/SSH access) has been published recently: https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755... Shodan finds 26000 ScreenOS machines reachable from the Internet. It will be a small botnet :-)
participants (7)
-
A.L.M.Buxey@lboro.ac.uk -
Dave Taht -
Doug Barton -
Karsten Thomann -
Royce Williams -
Stephane Bortzmeyer -
Steven M. Bellovin