Discover and Monitor Juniper Vulnerability CVE-2015-7755 Exploits with Splunk

Hello Security Ninjas,

The recent Juniper firewall vulnerability (CVE-2015-7755) is another version of what has been coined as a “high-impact vulnerability”. Such vulnerabilities are characterized as having a wide distribution and high risk of exploitation. Previous examples include Heartbleed (CVE-2014-0160) and Shellshock (CVE-2014-6271). This vulnerability is a little different as it affects a commercial product and more specifically a network security device, putting many enterprise organizations at substantial risk. Kenneth Westin, Specialist in our security division, made a review of the latest Juniper OS Vulnerability:

According to Juniper the ScreenOs vulnerability (CVE-2015-7755) allows unauthorized remote administrative access to the firewall, which if exploited can lead to complete compromise of the affected device. The vulnerability is present in ScreenOS 6.2.0r15 through 6.2.0r18, and 6.3.0r12 through 6.3.0r20. This vulnerability is now critical to patch as the exploit consists of a single system level password that is now public.

Action recommendations

When dealing with a high impact vulnerability such as this, the following are the steps organizations should take immediately:

  1. Identify what systems are affected by the vulnerability
  2. If patches are available, patch vulnerable systems immediately
  3. Identify if possible whether an active exploit was used targeting the vulnerability in your environment
  4. Identify what changes occurred on exploited systems and if there are signs of a pivot from those systems to others within the environment
  5. Once the compromised assets and accounts are identified steps should be taken immediately to remediate these systems

Detect active exploits

Finding if the exploit has been used against an asset in your environment is easy with Splunk. Juniper has provided information regarding indicators that would exist in logs if the exploit was triggered:

Normal login by user username1:

2015-12-17 09:00:00 system warn 00515 Admin user username1 has logged on via SSH from …..
2015-12-17 09:00:00 system warn 00528 SSH: Password authentication successful for admin user ‘username1’ at host …

Compromised login by user username2:

2015-12-17 09:00:00 system warn 00515 Admin user system has logged on via SSH from …..
2015-12-17 09:00:00 system warn 00528 SSH: Password authentication successful for admin user ‘username2’ at host …

By doing an easy search in Splunk you can quickly identify the successful exploitation of a given asset in that environment. The search can also be saved and then scheduled to alert any potential future attempts.

juniper-password-search

sourcetype=”netscreen:firewall” 00515 AND “Admin user system”

It is important to point out that in Juniper’s advisory they state:

Note that a skilled attacker would likely remove these entries from the local log file, thus effectively eliminating any reliable signature that the device had been compromised.

This is the case only if the logs reside on the host system on the local log file. This illustrates the importance of passing log data to a host based log intelligence tool such as Splunk, particularly when dealing with security data.

There is also a Splunk Add-On for Juniper to make it easy to ingest Juniper logs into Splunk if you are not already doing so. For Splunk Enterprise Security customers they can easily find the “system” user in the pre-built dashboards.

Happy Splunking