Vulnerabilities > CVE-2015-7756 - Cryptographic Issues vulnerability in Juniper Screenos

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

juniper

CWE-310

nessus

NVD

Published: 2015-12-19

Updated: 2016-12-07

Summary

The encryption implementation in Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b, 6.3.0r13 before 6.3.0r13b, 6.3.0r14 before 6.3.0r14b, 6.3.0r15 before 6.3.0r15b, 6.3.0r16 before 6.3.0r16b, 6.3.0r17 before 6.3.0r17b, 6.3.0r18 before 6.3.0r18b, 6.3.0r19 before 6.3.0r19b, and 6.3.0r20 before 6.3.0r21 makes it easier for remote attackers to discover the plaintext content of VPN sessions by sniffing the network for ciphertext data and conducting an unspecified decryption attack.

Vulnerable Configurations

Part	Description	Count
OS	Juniper Juniper Screenos 6.2.0R15 Juniper Screenos 6.2.0R16 Juniper Screenos 6.2.0R17 Juniper Screenos 6.2.0R18 Juniper Screenos 6.3.0	12

Common Weakness Enumeration (CWE)

CWE-310 - Cryptographic Issues

Common Attack Pattern Enumeration and Classification (CAPEC)

Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Nessus

NASL family	Firewalls
NASL id	SCREENOS_JSA10713.NASL
description	The remote host is running a version of Juniper ScreenOS that is 6.2.x prior to 6.2.0r19 or 6.3.x prior to 6.3.0r21. It is, therefore, affected by multiple vulnerabilities : - A backdoor exists that allows a remote attacker administrative access to the device over SSH or telnet. (CVE-2015-7755) - An unspecified flaw exists that allows a man-in-the-middle attacker to decrypt VPN traffic. (CVE-2015-7756) Note that Nessus has not tested for these issues but has instead relied only on the application
last seen	2020-06-01
modified	2020-06-02
plugin id	87507
published	2015-12-18
reporter	This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/87507
title	Juniper ScreenOS 6.2.0r15 < 6.2.0r19 / 6.3.0r12 < 6.3.0r21 Multiple Vulnerabilities (JSA10713)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(87507); script_version("1.13"); script_cvs_date("Date: 2018/09/17 21:46:53"); script_cve_id("CVE-2015-7755", "CVE-2015-7756"); script_bugtraq_id(79626); script_xref(name:"JSA", value:"JSA10713"); script_xref(name:"CERT", value:"640184"); script_name(english:"Juniper ScreenOS 6.2.0r15 < 6.2.0r19 / 6.3.0r12 < 6.3.0r21 Multiple Vulnerabilities (JSA10713)"); script_summary(english:"Checks version of ScreenOS."); script_set_attribute(attribute:"synopsis", value: "The remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote host is running a version of Juniper ScreenOS that is 6.2.x prior to 6.2.0r19 or 6.3.x prior to 6.3.0r21. It is, therefore, affected by multiple vulnerabilities : - A backdoor exists that allows a remote attacker administrative access to the device over SSH or telnet. (CVE-2015-7755) - An unspecified flaw exists that allows a man-in-the-middle attacker to decrypt VPN traffic. (CVE-2015-7756) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713"); script_set_attribute(attribute:"solution", value: "Upgrade to Juniper ScreenOS 6.2.0r19 / 6.3.0r21 or later. Alternatively, apply the appropriate patch referenced in the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-7755"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date",value:"2015/12/17"); script_set_attribute(attribute:"patch_publication_date",value:"2015/12/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/12/18"); script_set_attribute(attribute:"plugin_type",value:"local"); script_set_attribute(attribute:"cpe",value:"cpe:/o:juniper:screenos"); script_set_attribute(attribute:"in_the_news", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Firewalls"); script_copyright(english:"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("screenos_version.nbin"); script_require_keys("Host/Juniper/ScreenOS/display_version", "Host/Juniper/ScreenOS/version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); app_name = "Juniper ScreenOS"; display_version = get_kb_item_or_exit("Host/Juniper/ScreenOS/display_version"); version = get_kb_item_or_exit("Host/Juniper/ScreenOS/version"); respin_version = get_kb_item("Host/Juniper/ScreenOS/respin_version"); display_fix = ""; # Fixes: 6.2.0r19, 6.3.0r21 if (version =~ "^6\.2([^0-9]\|$)" && ver_compare(ver:version, minver:"6.2.0.15", fix:"6.2.0.19", strict:FALSE) == -1) display_fix = "6.2.0r19"; else if (version =~ "^6\.3([^0-9]\|$)" && ver_compare(ver:version, minver:"6.3.0.12", fix:"6.3.0.21", strict:FALSE) == -1) { if(version =~ "^6\.3\.0\.1[2-9](\.0)?$") { if((respin_version !~ "^[b-z]" && !isnull(respin_version)) \|\| isnull(respin_version)) display_fix = "6.3.0r1" + version[7] + "b"; } else display_fix = "6.3.0r21"; } if(display_fix) { port = 0; if (report_verbosity > 0) { report = '\n Installed version : ' + display_version + '\n Fixed version : ' + display_fix + '\n'; security_hole(extra:report, port:port); } else security_hole(port); exit(0); } else audit(AUDIT_INST_VER_NOT_VULN, app_name, display_version);

Seebug

bulletinFamily	exploit
description	``` Author: xiaohu & mt (知道创宇404安全实验室) Date: 2015-12-23 ``` ## 漏洞信息： Juniper 网络公司（瞻博网络）作为全球领先的联网和安全性解决方案供应商，Juniper 网络公司对依赖网络获得战略性收益的客户一直给予密切关注。公司的客户来自全球各行各业，包括主要的网络运营商、企业、政府机构以及研究和教育机构等。Juniper 网络公司推出的一系列联网解决方案，提供所需的安全性和性能来支持全球最大型、最复杂、要求最严格的关键网络。 Juniper 网络公司在上周发表声明，称 NetScreen 与 Juniper SSG 防火墙产品使用的操作系统 Juniper ScreenOS 中发现高危漏洞 CVE-2015-7756。涉及设备 VPN 加密伪随机密钥可被破解的漏洞。 ![](https://images.seebug.org/contribute/bd705e63-1d11-487b-bdfe-3e2ab5654193-1.png) ## 漏洞分析：首先，需要了解涉及 Juniper 的 VPN加密的几个关键函数，其次相互关系和作用。其调用关系如下表所示： ![](https://images.seebug.org/contribute/bce61b01-cb6e-417f-a6ba-123b1f508cc7-2.png) 上表中 reseed_system_prng 函数的作用是生成SEED和3DES密钥, 函数 ansi_x9_31_update 作用是迭代混淆。ansi_x9_31_update函数的流程图如下： ![](https://images.seebug.org/contribute/73b0db59-19de-4978-9e1a-f2b9855023fe-4.png) 如图所示，T 为 8字节随机数，但四个字节固定为 0，所以只有四个字节是随机数。T的生成方式为此时机器的 Timer(计时器读值)。system_prng_gen_block 和 reseed_system_prng 函数绝大部分代码已被逆向出来，其伪代码见附录。至此，基于对上述关键函数的分析，国外大牛 RPW 声称：“暂时没有发现一种切实可行的漏洞利用方法解密Juniper 的 VPN加密，但是会持续关注这个这个漏洞,而且他怀疑他错过一些东西！有时间的话他会用硬件 JTAG 调试器分析”。在 system_prng_gen_block 伪代码中，有关键的一行并没有得到深入分析。如下：通过这句代码，我们可以根据固件推出在一个随机种子用来初始化的 prngseed。逆向ssg5ssg20.6.3.0r19.0 固件得到伪代码，从中可以找到如下代码片段： ![](https://images.seebug.org/contribute/a68ea4ae-0ffe-4a0d-8a88-17b582e3d4f8-3.png) 通过上述代码段，可以得到一种可能的 VPN 解密方式：在获取系统控制权或者听过其他漏洞或方法读出 prngseed 的32个字节，暴力破解 T(后4字节伪机数)，最后可以实现对 VPN 的解密。另外一种可能，同时如果厂家的 prngseed 的生成机制，被泄漏出来，则 VPN 直接可以被解密。以上为我们的初步分析，我们将进一步对 Juniper 漏洞深入分析。 ## 漏洞影响：我们从 ZoomEye 平台对全球 ScreenOS 设备分析统计发现，开放了 Telnet 服务的总数高达 34000 台。 ![](https://images.seebug.org/contribute/62dbc8d4-652c-4582-b794-2b609736a5cd-5.png) 目前知道创宇 Sebug 照妖镜已提供对绕过 ScreenOS 身份认证漏洞在线检测，利用此功能可以针对 ScreenOS 设备进行测试，如果存在漏洞建议立即升级设备固件。Sebug 提供最新漏洞信息、漏洞搜索、漏洞修复、漏洞目录、安全文档、漏洞趋势分析等服务。 ## 解决方案：目前 Juniper 网络公司已对 ScreenOS 受漏洞影响版本进行了修复。可进入官网下载设备型号相对应的固件版本进行升级。（链接：http://www.juniper.net/support/downloads/screenos.html）另外需要说明的是，针对使用后门绕过认证，获取设备管理员权限，会被 ScreenOS 日志记录，如果一旦设备被完全控制，日志将变的不可靠，建议立即升级 ScreenOS 设备固件，如果因客观因素无法升级设备固件，应该限制对设备访问的 IP，为了进一步安全考虑，可以增加网络日志服务器，ScreenOS 所有日志发生时自动导入网络日志服务器，相对而言远程存储日志比本地存储日志被窜改的概率将会降低很多。 ## 参考资料 https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&cat=SIRT_1&actp=LIST https://rpw.sh/blog/2015/12/21/the-backdoored-backdoor/ https://github.com/hdm/juniper-cve-2015-7755 http://www.juniper.net/support/downloads/screenos.html
id	SSV:90140
last seen	2017-11-19
modified	2015-12-21
published	2015-12-21
reporter	Root
title	Juniper Networks（瞻博网络）未授权访问漏洞

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

Seebug

References