[ISN] NASA, Dept of Defense, Commerce etc probed over use of backdoored Juniper kit

www.theregister.co.uk/2016/01/26/juniper_us_government/ By Chris Williams The Register 26 Jan 2016 A bunch of US government departments and agencies – from the military to NASA – are being grilled over their use of backdoored Juniper firewalls. The House of Representatives’ Committee on Oversight and Government Reform fired off letters to top officials over the weekend, demanding to know if any of the dodgy NetScreen devices were used in federal systems. Juniper’s ScreenOS software – the firmware that powers in its firewalls – was tampered with by mystery hackers a few years ago to introduce two vulnerabilities: one was an administrator-level backdoor accessible via Telnet or SSH using a hardcoded password, and the other allowed eavesdroppers to decrypt intercepted VPN traffic. The flaws, which were smuggled into the source code of the firmware, were discovered on December 17 by Juniper, and patches were issued three days later to correct the faults. The backdoor (CVE-2015-7755) affects ScreenOS versions 6.3.0r17 through 6.3.0r20, and the weak VPN encryption (CVE-2015-7756) affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20. […]