You may have seen the multitude of articles that have confirmed the backdoor password in Junipers ScreenOS firewalls. As alarming as this advisory may be, especially if you run the firewalls affected (6.2.0r15 through 6.2.0r18, 6.3.0r12 and 6.3.0r20), it is time to fix the problem. The problem was “Unauthorized code” or better known as “modified code” which is a form of breach where any modification, addition, and/or development of code scripts and/or services deviates from the predefined product code trees or modules. This is probably something that we will continue to see as IT diffuses more into our everyday lives.
I do not think this is a case where one should jump ship from Juniper hardware/software rather I believe it is a time to be aware that malicious intent to compromise data is growing. If it can happen with one vendor then it surely can happen with all. This why I am writing this article. Breaches will happen, it is how quickly we respond that makes a positive difference.
Below is a very short and simple guide on how to patch your Juniper ScreenOS firewalls (link included for full detailed description).
First, make sure that you have the correct signing key. If you have not upgraded the signing key, which changed in August 2014, your ScreenOS may not boot properly. You can download the new signing key at the Juniper support site. http://www.juniper.net/techpubs/hardware/netscreen-certifications/imagekey.zip
Second, pull a fresh configuration backup on all of your devices, in case there are issues and you need a solid recovery point.
Third, On the CLI verify which signing key is currently being used. If it starts with 308201ac then you need to update your image key prior to upgrading device. New signing key for ScreenOS 6.3R21 should begin with 308201ad.
Fourth, upgrade the image key.
Fifth, upgrade ScreenOS
Final, the file will upload and when complete, it will apply and reboot which will take around 5-10 minutes. After rebooted, login and confirm the upgrade.
If you want a detailed description on how to perform the ScreenOS upgrade check out this very helpful link: http://puluka.com/home/techtalknetworking/screenoscriticalsecurityissue2015.html
If you are having trouble upgrading your device and/or do not have enough time to upgrade and need some help, call Bird Rock Systems today and let our expert engineers help make your “…IT better!”
Call at 858.777.1617 or email us at info@birdrockusa.com.
