subject:"\[CVE\-2015\-7755\] Backdoor in Juniper\/ScreenOS"

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

2015-12-21 Thread Stephane Bortzmeyer

On Fri, Dec 18, 2015 at 09:28:11AM +0100,
 Stephane Bortzmeyer <bortzme...@nic.fr> wrote 
 a message of 6 lines which said:

> http://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554

The password for the first backdoor (the one regarding telnet/SSH
access) has been published recently:

https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor

Shodan finds 26000 ScreenOS machines reachable from the Internet. It
will be a small botnet :-)

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

2015-12-21 Thread Doug Barton


https://www.schneier.com/blog/archives/2015/12/back_door_in_ju.html

[CVE-2015-7755] Backdoor in Juniper/ScreenOS

2015-12-18 Thread Stephane Bortzmeyer

http://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554
https://kb.juniper.net/InfoCenter/index?page=content=JSA10713=SIRT_1=LIST

Should we blame Juniper for letting a git repository open to
"unauthorized code" or should we congratulate them for their frankness
(few corporations would have admitted the problem)?

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

2015-12-18 Thread Karsten Thomann

Am Freitag, 18. Dezember 2015, 09:28:11 schrieb Stephane Bortzmeyer:
> http://forums.juniper.net/t5/Security-Incident-Response/Important-Announceme
> nt-about-ScreenOS/ba-p/285554
> 
https://kb.juniper.net/InfoCenter/index?page=content=JSA10713=
SIRT_1
> =LIST
> 
> Should we blame Juniper for letting a git repository open to
> "unauthorized code" or should we congratulate them for their frankness
> (few corporations would have admitted the problem)?

I think we should do both, even if it would be interessting to know how long 
the problem already exists.

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

2015-12-18 Thread Dave Taht

I think "unauthorized code" is still plausible newspeak for "bug".

Why blame finger foo when you can blame terrorists?

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

2015-12-18 Thread A . L . M . Buxey

Hi,

> > Should we blame Juniper for letting a git repository open to
> > "unauthorized code" or should we congratulate them for their frankness
> > (few corporations would have admitted the problem)?

'un-authorized' - not authorized.

this could be code/idea by some/one engineer for eg debugging purpose etc that
just didnt get ANY signoff by anyone - so during code review they've questioned
its presence and not found the relevant sign-off etc.

take VW here...they are now blaming a small set of engineers who rigged the 
emissions
systemif they can say that no managers/execs knew about this and it was 
purely in
some small code team etc then that too is unauthorized code - but its internal,
not an external bad guy (it will be interesting however, in that case, whether 
that really
was the case and it WASNT known about by someone else...thus 'authorized' in 
that it wasnt
stopped)

alan

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

2015-12-18 Thread Steven M. Bellovin

Yes. He's backing off a bit on the claim, since he doesn't have full context. 

--Steve Bellovin, https://www.cs.columbia.edu/~smb

Sent from from a handheld; please excuse tyops

> On Dec 18, 2015, at 12:27 PM, Royce Williams  wrote:
> 
>> On Fri, Dec 18, 2015 at 8:03 AM, Steven M. Bellovin  
>> wrote:
>>> On 18 Dec 2015, at 11:52, Steven M. Bellovin wrote:
>>> 
 On 18 Dec 2015, at 7:28, Dave Taht wrote:
 
 I think "unauthorized code" is still plausible newspeak for "bug".
 
 Why blame finger foo when you can blame terrorists?
>>> 
>>> It looks like two different holes, one a back door for unauthorized
>>> console login and one to somehow leak VPN encryption keys.  There are
>>> hints that that latter involved tinkering with certain constants in
>>> the crypto (https://twitter.com/matthew_d_green/status/677871004354371584);
>>> that would squarely point the finger at some government's intelligence
>>> agency.
>>> 
>>> I don't know who did it, but neither 'bug' nor 'developer debugging
>>> code' sounds plausible here.
>> 
>> https://twitter.com/sweis/status/677896363070259200
> 
> That tweet got deleted, apparently to redraft/correct; is this the equivalent?
> 
> https://twitter.com/sweis/status/677897914643976193
> https://gist.github.com/hdm/107614ea292e856faa81#file-ssg500-6-3-0r12-0-diff-L16
> 
> Royce

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

2015-12-18 Thread Steven M. Bellovin



On 18 Dec 2015, at 11:52, Steven M. Bellovin wrote:

> On 18 Dec 2015, at 7:28, Dave Taht wrote:
>
>> I think "unauthorized code" is still plausible newspeak for "bug".
>>
>> Why blame finger foo when you can blame terrorists?
>
> It looks like two different holes, one a back door for unauthorized
> console login and one to somehow leak VPN encryption keys.  There are
> hints that that latter involved tinkering with certain constants in
> the crypto (https://twitter.com/matthew_d_green/status/677871004354371584);
> that would squarely point the finger at some government's intelligence
> agency.
>
> I don't know who did it, but neither 'bug' nor 'developer debugging
> code' sounds plausible here.

https://twitter.com/sweis/status/677896363070259200

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

2015-12-18 Thread Royce Williams

On Fri, Dec 18, 2015 at 8:03 AM, Steven M. Bellovin  
wrote:
> On 18 Dec 2015, at 11:52, Steven M. Bellovin wrote:
>
>> On 18 Dec 2015, at 7:28, Dave Taht wrote:
>>
>>> I think "unauthorized code" is still plausible newspeak for "bug".
>>>
>>> Why blame finger foo when you can blame terrorists?
>>
>> It looks like two different holes, one a back door for unauthorized
>> console login and one to somehow leak VPN encryption keys.  There are
>> hints that that latter involved tinkering with certain constants in
>> the crypto (https://twitter.com/matthew_d_green/status/677871004354371584);
>> that would squarely point the finger at some government's intelligence
>> agency.
>>
>> I don't know who did it, but neither 'bug' nor 'developer debugging
>> code' sounds plausible here.
>
> https://twitter.com/sweis/status/677896363070259200

That tweet got deleted, apparently to redraft/correct; is this the equivalent?

https://twitter.com/sweis/status/677897914643976193
https://gist.github.com/hdm/107614ea292e856faa81#file-ssg500-6-3-0r12-0-diff-L16

Royce

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

2015-12-18 Thread Steven M. Bellovin

On 18 Dec 2015, at 7:28, Dave Taht wrote:

> I think "unauthorized code" is still plausible newspeak for "bug".
>
> Why blame finger foo when you can blame terrorists?

It looks like two different holes, one a back door for unauthorized
console login and one to somehow leak VPN encryption keys.  There are
hints that that latter involved tinkering with certain constants in
the crypto (https://twitter.com/matthew_d_green/status/677871004354371584);
that would squarely point the finger at some government's intelligence
agency.

I don't know who did it, but neither 'bug' nor 'developer debugging
code' sounds plausible here.

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

[CVE-2015-7755] Backdoor in Juniper/ScreenOS

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

10 matches

Site Navigation

Mail list logo

Footer information