Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: The other Juniper vulnerability - CVE-2015-7756 SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
The other Juniper vulnerability - CVE-2015-7756

Almost completely lost in the hype of the Juniper "unauthorized code" backdoor vulnerability (CVE-2015-7755) is the other vulnerability that was fixed as part of the same patch (CVE-2015-7756).  CVE-2015-7756 is titled ScreenOS VPN decryption vulnerability and from the Juniper bulletin this vulnerability may "allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic." In short this vulnerability is a cryptographic flaw caused by a potentially backdoored random number generator.  It also appears that sometime in 2012 unauthorized changes were made to the parameters used by the NetScreen VPN which permitted this back door to be exploited to decrypt and eavesdrop on Juniper VPN connections.

If CVE-2015-7755 is not enough reason to patch these vulnerabilities as soon as practical, if you use the Juniper VPN functionality, CVE-2015-7756 definitely should give you a push to get it applied.

If you are one of those people who likes reading the technical details of cryptography then I highly recommend the excellent writeup by Raif-Phillipp Weinmann at the blog.  For a lighter version Matthew Green has a write-up that is less technical but explains the high level details very well.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - - Twitter:namedeplume (Protected)


321 Posts
ISC Handler
Dec 22nd 2015
As a Juniper VPN user (required by my company), can I tell whether the company server is still vulnerable?
Well, if you're loathe to directly attempt it against your own equipment, you could search Shodan for any of your externally facing equipment and see if they show up as vulnerable. If you know the version numbers, Johannes has a nice table in a previous diary entry.

12 Posts

Sign Up for Free or Log In to start participating in the conversation!