NASA, Dept of Defense, Commerce etc probed over use of backdoored Juniper kit

[InfoSec News <alerts () infosecnews org>]

http://www.theregister.co.uk/2016/01/26/juniper_us_government/

By Chris Williams
The Register
26 Jan 2016

A bunch of US government departments and agencies – from the military to 
NASA – are being grilled over their use of backdoored Juniper firewalls.

The House of Representatives' Committee on Oversight and Government Reform 
fired off letters to top officials over the weekend, demanding to know if 
any of the dodgy NetScreen devices were used in federal systems.

Juniper's ScreenOS software – the firmware that powers in its firewalls – 
was tampered with by mystery hackers a few years ago to introduce two 
vulnerabilities: one was an administrator-level backdoor accessible via 
Telnet or SSH using a hardcoded password, and the other allowed 
eavesdroppers to decrypt intercepted VPN traffic. The flaws, which were 
smuggled into the source code of the firmware, were discovered on December 
17 by Juniper, and patches were issued three days later to correct the 
faults.

The backdoor (CVE-2015-7755) affects ScreenOS versions 6.3.0r17 through 
6.3.0r20, and the weak VPN encryption (CVE-2015-7756) affects ScreenOS 
6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20.

[...]

--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/