A bunch of US government departments and agencies – from the military to NASA – are being grilled over their use of backdoored Juniper firewalls.
The House of Representatives' Committee on Oversight and Government Reform fired off letters to top officials over the weekend, demanding to know if any of the dodgy NetScreen devices were used in federal systems.
Juniper's ScreenOS software – the firmware that powers in its firewalls – was tampered with by mystery hackers a few years ago to introduce two vulnerabilities: one was an administrator-level backdoor accessible via Telnet or SSH using a hardcoded password, and the other allowed eavesdroppers to decrypt intercepted VPN traffic. The flaws, which were smuggled into the source code of the firmware, were discovered on December 17 by Juniper, and patches were issued three days later to correct the faults.
The backdoor (CVE-2015-7755) affects ScreenOS versions 6.3.0r17 through 6.3.0r20, and the weak VPN encryption (CVE-2015-7756) affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20.
The oversight committee has given the departments until February 4 to audit their use of ScreenOS – a bit of an ask, we reckon, because even the IRS lost track of 1,300 computers still running Windows XP. Pulling together records of networking kit in a rush, and amid an East Coast snow-mageddon, might give some federal IT workers a heart attack.
Specifically, the committee – which is worried about the impact of the security holes – wants to know: whether any vulnerable devices were used; steps IT staff took after learning of the vulnerabilities; which versions of ScreenOS were used; and when were vulnerable devices patched to address the problems.
The panel has written to the SEC, the Dept of Agriculture, the General Services Administration, the Dept of Commerce, the Dept of Labor, the Dept of Energy – which also looks after Uncle Sam's nuclear research – the Dept of Veteran Affairs, the Environmental Protection Agency, the treasury department, the Dept of Education, NASA, etc etc. ®