Backdoor in Netscreen ScreenOS

A backdoor account has been found in Netscreen ScreenOS versions 6.2.0r15 to 6.2.0r18 and 6.3.0r12 to 6.3.0r20. The backdoor account, which can be accessed with any valid username and the password: <<< %s(un='%s') = %u via a Telnet or SSH session to the device (rule-set permitting), provides the attacker with a privileged shell. In addition to the backdoor, an issue exists in the VPN implementation that leaves encrypted traffic prone to sniffing. Details regarding the source of these issues are yet to be released but speculation is rife.

So what can we do to prevent such attacks?

Well the obvious action is to upgrade the firmware to a release that is corrected. But this is only part of the problem. Management interfaces really should be restricted as a matter of principal to trusted sources. Unfortunately, leaving the management interface exposed to the world is something we see far too much often; It’s still common practice to allow SSH, Telnet, or HTTP/HTTPS traffic to network infrastructure from almost anywhere. As soon as you have a vulnerability such as this discovered, your superfluous attack surface means a compromise is likely. Other common problems we see with management interfaces include:

1. Using protocol such as Telnet that provide no encryption for user credentials in transit
2. Using self-signed certificates on HTTPS interfaces
3. Leaving management accounts at default
4. Leaving superfluous management services exposed.

A simple pre-deployment hardening process will take care of these common issues, and result in a more solid network perimeter.