Identifying ScreenOS Remote Administrative Access exploit using SIEM

Sujay Mendon
By Sujay Mendon

March 15, 2016

 

1. Cause and Effect

In the process of analyzing an internal code review of ScreenOS, there were two major security complications that were discovered.  Administrative Access (CVE-2015-7755) enables a remote, unsanctioned access to the device. Taking malicious benefit from this open vulnerability can result in a total compromise of the device.

However, this is a complication in ScreenOS 6.2.0r15, 6.2.0r18 and 6.3.0r20 and has been given the CVE-2015-7755 protocol. On the other hand, it was identified that there were no Juniper Networks products as well as other ScreenOS versions and platform that were affected by these complications.

2. Resolving the Problem

Although this inconvenient complication can be eliminated via patch upgrade, incorporating the full use of the patch across the entire organization and on enhanced and highly pertinent networks as well as security devices has proven to be an extremely frustratingly daunting undertaking. The implementation of the patch ends up consuming a significant amount of time and not to mention effort.

Therefore it has become increasingly important to identify and sweep the complication from the day it is discovered – the unwarranted access must be immediately detected and blocked.

Furthermore, for added efficiency, administrators must always incorporate an IP based whitelist approach that specifically enables particular machines to access the console legitimately and activate two-factor authentication and identification wherever and as much as it possibly can.

Moreover, it is important to consider the fact that no Identity Management System (IMS) or a Privileged Identity Management System (PIMS) can inhibit this type of malicious attack.

3. The Significance of Stopping the Attack As Soon As Possible and Preventing it in the Future

There is no question about the fact that you need to put a stop to a hack like this right then and there. Mentioned below are two extremely sensitive reasons why you should focus on preventing it from happening ever again:

  • The hacker can easily infiltrate and gain administrative access without having to learn the password
  • The hacker can gain access to critical network and security devices which may lead to organization wide network compromise
  • You stand a high risk of being constantly and unknowingly monitored

4. Threat Actor, Threat Vector, Asset type and Impact

threat actors

5. The Mechanism for Detecting Unauthorized Threat and Access

When the system is compromised, this vulnerability will display a log entry showing that the system has been accessed maliciously even with password authentication registered with a different username. For example:

Normal login by user username1:

2015-12-17 09:00:00 system warn 00515 Admin user username1 has logged on via SSH from …..

2015-12-17 09:00:00 system warn 00528 SSH: Password authentication successful for admin user ‘username1’ at host …

Compromised login by user username2:

2015-12-17 09:00:00 system warn 00515 Admin user system has logged on via SSH from …..

2015-12-17 09:00:00 system warn 00528 SSH: Password authentication successful for admin user ‘username2’ at host …

6. Utilizing Case-Detecting Windows Account Compromise through a Replay Counterattack

Log Sources:

Devices with ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20

Event Condition:

Check for successful/unsuccessful SSH login of user “system” even though the authentication was successful for some other user.

For example:

  • Admin user ‘system has logged on via SSH from
  • Password authentication successful for admin user username2

 

7.  An Efficient and Effective Workaround

According to the Juniper SIRT it is essential to upgrade to a fixed release (as identified in the section for ‘Solutions’ in the .arb file attached above) for an effective and immediate solution to tackle sensitive system vulnerabilities.

CVE-2015-7755 (unauthorized access) Mitigation

Limiting network access to only trusted administrators and management networks as well as hosts can be a powerful solution to eliminating the risk. The malicious attack can only take form via a location where an authorized management login is required and permitted.

Security Best Current Practice (BCP)

In light of the aforementioned recommendations, this should be included as a routine and best security practice to mitigate and eliminate possible future exploitations and attacks on data base infrastructure and networking tools. You can even implement the utilization of limited access risks and/or firewall filters to decrease management access from only trusted administrative networks or hosts.

8. Implementation

You can obtain the fix at:

http://www.juniper.net/support/downloads/screenos.html

9. ArcSight Use Case ‘arb’ File

 

 

Please contact sujay.mendon@paladion.net for the arb file


Tags: ScreenOS Remote, Uncategorized

About

Sujay Mendon

Sujay Mendon leads a team of cyber security researchers in Paladion's SOC services that actively hunt for vulnerabilities and threats in the global threat landscape. His team often lurks in the dark allies of the virtual world to discover the latest malware, malicious software, hacking methodologies, and ways to detect these attacks before the damage is done. Analysts receive the latest threat intelligence derived from this research, which helps them better respond to security events and alerts. When Sujay is not busy helping his team navigate the hot beds of cybercrime, he is seen imparting his knowledge to security geeks in various security forums and communities.