Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

2015-12-21 Thread Stephane Bortzmeyer
ng telnet/SSH access) has been published recently: https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor Shodan finds 26000 ScreenOS machines reachable from the Internet. It will be a small botnet :-)

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

2015-12-21 Thread Doug Barton
https://www.schneier.com/blog/archives/2015/12/back_door_in_ju.html

[CVE-2015-7755] Backdoor in Juniper/ScreenOS

2015-12-18 Thread Stephane Bortzmeyer
http://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554 https://kb.juniper.net/InfoCenter/index?page=content=JSA10713=SIRT_1=LIST Should we blame Juniper for letting a git repository open to "unauthorized code" or should we congratulate them for

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

2015-12-18 Thread Karsten Thomann
Am Freitag, 18. Dezember 2015, 09:28:11 schrieb Stephane Bortzmeyer: > http://forums.juniper.net/t5/Security-Incident-Response/Important-Announceme > nt-about-ScreenOS/ba-p/285554 > https://kb.juniper.net/InfoCenter/index?page=content=JSA10713= SIRT_1 > =LIST > > Should we blame Juniper for

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

2015-12-18 Thread Dave Taht
I think "unauthorized code" is still plausible newspeak for "bug". Why blame finger foo when you can blame terrorists?

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

2015-12-18 Thread A . L . M . Buxey
Hi, > > Should we blame Juniper for letting a git repository open to > > "unauthorized code" or should we congratulate them for their frankness > > (few corporations would have admitted the problem)? 'un-authorized' - not authorized. this could be code/idea by some/one engineer for eg debugging

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

2015-12-18 Thread Steven M. Bellovin
Yes. He's backing off a bit on the claim, since he doesn't have full context. --Steve Bellovin, https://www.cs.columbia.edu/~smb Sent from from a handheld; please excuse tyops > On Dec 18, 2015, at 12:27 PM, Royce Williams wrote: > >> On Fri, Dec 18, 2015 at 8:03 AM,

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

2015-12-18 Thread Steven M. Bellovin
On 18 Dec 2015, at 11:52, Steven M. Bellovin wrote: > On 18 Dec 2015, at 7:28, Dave Taht wrote: > >> I think "unauthorized code" is still plausible newspeak for "bug". >> >> Why blame finger foo when you can blame terrorists? > > It looks like two different holes, one a back door for

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

2015-12-18 Thread Royce Williams
On Fri, Dec 18, 2015 at 8:03 AM, Steven M. Bellovin wrote: > On 18 Dec 2015, at 11:52, Steven M. Bellovin wrote: > >> On 18 Dec 2015, at 7:28, Dave Taht wrote: >> >>> I think "unauthorized code" is still plausible newspeak for "bug". >>> >>> Why blame finger foo when you

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

2015-12-18 Thread Steven M. Bellovin
On 18 Dec 2015, at 7:28, Dave Taht wrote: > I think "unauthorized code" is still plausible newspeak for "bug". > > Why blame finger foo when you can blame terrorists? It looks like two different holes, one a back door for unauthorized console login and one to somehow leak VPN encryption keys.