nanog mailing list archives

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Fri, 18 Dec 2015 11:52:42 -0500



On 18 Dec 2015, at 7:28, Dave Taht wrote:

I think "unauthorized code" is still plausible newspeak for "bug".

Why blame finger foo when you can blame terrorists?


It looks like two different holes, one a back door for unauthorized
console login and one to somehow leak VPN encryption keys.  There are
hints that that latter involved tinkering with certain constants in
the crypto (https://twitter.com/matthew_d_green/status/677871004354371584);
that would squarely point the finger at some government's intelligence
agency.

I don't know who did it, but neither 'bug' nor 'developer debugging
code' sounds plausible here.

Current thread:

[CVE-2015-7755] Backdoor in Juniper/ScreenOS Stephane Bortzmeyer (Dec 18)
- Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS Karsten Thomann (Dec 18)
  - Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS Dave Taht (Dec 18)
    - Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS Steven M. Bellovin (Dec 18)
    - Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS Steven M. Bellovin (Dec 18)
    - Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS Royce Williams (Dec 18)
    - Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS Steven M. Bellovin (Dec 18)
  - Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS A . L . M . Buxey (Dec 18)
- Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS Stephane Bortzmeyer (Dec 21)
- Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS Doug Barton (Dec 21)