Administrative Access (CVE-2015-7755) only affects ScreenOS 6.3.0r17 through 6.3.0r20. VPN Decryption (CVE-2015-7756) only affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20.
Juniper strongly recommends that all Juniper customers update their systems and apply these patched releases with the highest priority.
Juniper is committed to maintaining the integrity and security of their products and wanted to make customers aware of critical patched releases they have issued to address vulnerabilities in devices running ScreenOS®software.
During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen® devices and to decrypt VPN connections. Once they identified these vulnerabilities, they launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS.
At this time, they have not received any reports of these vulnerabilities being exploited; however, Juniper strongly recommends that customers update their systems and apply the patched releases with the highest priority.
The Juniper Security Response Team takes this matter very seriously and are making every effort to address these issues. More information and guidance on applying this update to systems can be found in the Juniper Security Advisories (JSAs) available on their Security Incident Response website at http://advisory.juniper.net.
FAQ
Q: Why did this issue require an out-of-cycle security advisory?
Juniper is committed to maintaining the integrity and security of their products. Consistent with industry best practices, this means releasing patches for products in a timely manner to maintain customer security. Juniper believed that it was in their customers’ best interest to issue these patched releases with the highest priority. Juniper strongly recommends that all customers update their systems and apply these patched releases as soon as possible.
Q: What devices do these issues impact?
- Administrative access (CVE-2015-7755) only affects devices running ScreenOS 6.3.0r17 through 6.3.0r20.
- VPN Decryption (CVE-2015-7756) only affects devices running ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20.
Juniper strongly recommends that all customers update their systems and apply the patched releases with the highest priority
Q: Is the SRX or any other Junos®-based system affected by these issues?
These vulnerabilities are specific to ScreenOS. Juniper has no evidence that the SRX or other devices running Junos are impacted at this time.
Q: Who can I contact if I have additional questions about my system?
Customers with questions about their systems can email Juniper at sirt@juniper.net
