24

The Juniper ScreenOS backdoor recently discovered provides administrative access to these firewalls, but in terms of access to valuable data can it actually provide an attacker with anything useful other than logs?

Can an attacker alter routing? Or disable firewall rules, for example? In most of the scenarios I come up against, these will be of far greater importance.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320

2 Answers2

21

As the exploit gives root access to the Juniper device, an attacker can:

  • Decrypt all VPN traffic to the device, thus allowing viewing of all traffic through encrypted tunnels that terminate at the Juniper box
  • Edit firewall rules on the box, allowing an attacker to remove rules protecting assets within the network
  • Alter routing tables where these are used, perhaps redirecting traffic
  • View logs stored on the device
  • Edit logs on the device to remove any trace of compromise
Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • Control of the router can also be used to inject general MITM attacks against vulnerable client software (web browsers etc.). SSL certificates on the device can be copied and used to fake authentication against external systems. I'm not sure if the vulnerable Juniper devices do SSL interception ([some Juniper firewalls do](https://www.juniper.net/techpubs/en_US/idp5.0/topics/concept/intrusion-detection-prevention-ssl-decryption-overview.html)), but if they do then the outgoing web sessions of regular users can be decrypted and altered, including banking and other important sites. – bain Dec 22 '15 at 16:34
18

Root on the box.

So, "yes" to all.

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search

Exploitation of this vulnerability can lead to complete compromise of the affected system.

Update: Password disclosed
Rapid7 have disclosed the password.

Community
  • 1
StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
  • 1
    But, that's just on the Juniper box, right? How does this actually affect servers in the protected network, the business systems, etc? – AviD Dec 20 '15 at 14:40
  • @AviD That would depend on the individual deployments, in my limited experience, security once having access to a VPN is sorely lacking. From the attackers point of view, (s)he would have the same (arguably more) control over the traffic than your ISP. With VPN traffic terminating at the box, what could an attacker accomplish with a plug into your network at that point? – Phizes Dec 20 '15 at 22:09
  • 1
    @Phizes well yeah, that's the point of the question though... – AviD Dec 21 '15 at 08:51
  • 1
    @AviD that's true, my apologies there, I assumed that given the OP's suppositions about attack possibilities, the device capabilities, and that root is obtained would mean that those details are implicit. In hindsight, this is not a StackExchange model answer. – Phizes Dec 21 '15 at 09:12