Backdoor in NetScreen firewalls gives attackers admin access, VPN decrypt ability.

[e1-531g]

http://arstechnica.com/security/2015...d-vpn-traffic/
https://forums.juniper.net/t5/Securi...OS/ba-p/285554

Quote:

An operating system used to manage firewalls sold by Juniper Networks contains unauthorized code that surreptitiously decrypts traffic sent through virtual private networks, officials from the company warned Thursday.

It's not clear how the code got there or how long it has been there. An advisory published by the company said that NetScreen firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are affected and require immediate patching. Release notes published by Juniper suggest the earliest vulnerable versions date back to at least 2012 and possibly earlier. There's no evidence right now that the backdoor was put in other Juniper OSes or devices.

"During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections," Juniper Chief Information officer Bob Worrall wrote. "Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS."

[Oko]

I owner of this is related to well known Jail vulnerabilities which can be used to unlock Playstation 4?

[rons]

I know Juniper uses some BSD stuff. I wonder if Netscreen or ScreenOS is related in any way?

[e1-531g]

https://www.juniper.net/techpubs/sof...S-glossary.pdf

Quote:

This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite.

Via Arstechnica:

Quote:

Release notes published by Juniper suggest the earliest vulnerable versions date back to at least 2012 and possibly earlier.

[kpa]

According to a post on the FreeBSD forums the supposedly vulnerable ScreenOS versions are not based on *BSD and ScreenOS has been end of life for seven years to boot...

[e1-531g]

@kpa
According to link in post ScreenOS 6.3 (one of vulnerable versions) includes FreeBSD software. I don't know how many but it have some *BSD code. Maybe 5%, maybe 90%.
And seven years is not for sale, but support continues. It is firewall so often one doesn't need to upgrade it each year and probably doesn't even want to.