http://www.theregister.co.uk/2016/01/26/juniper_us_government/
By Chris Williams
The Register
26 Jan 2016
A bunch of US government departments and agencies – from the military to
NASA – are being grilled over their use of backdoored Juniper firewalls.
The House of Representatives' Committee on Oversight and Government Reform
fired off letters to top officials over the weekend, demanding to know if
any of the dodgy NetScreen devices were used in federal systems.
Juniper's ScreenOS software – the firmware that powers in its firewalls –
was tampered with by mystery hackers a few years ago to introduce two
vulnerabilities: one was an administrator-level backdoor accessible via
Telnet or SSH using a hardcoded password, and the other allowed
eavesdroppers to decrypt intercepted VPN traffic. The flaws, which were
smuggled into the source code of the firmware, were discovered on December
17 by Juniper, and patches were issued three days later to correct the
faults.
The backdoor (CVE-2015-7755) affects ScreenOS versions 6.3.0r17 through
6.3.0r20, and the weak VPN encryption (CVE-2015-7756) affects ScreenOS
6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20.
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
