Critical ScreenOS Security Flaw:
6.2.0r15 through 6.2.0r18 and
6.3.0r12 through 6.3.0r20.
Update 4/6/2016: New ScreenOS 6.3r22 release
Juniper has now completed the ScreenOS VPN updates with the removal of the DUAL_EC_DRBG and the ANSI X9.31 PRNG in ScreenOS 6.3r22
Plan on downloading and updating systems accordingly.
Critical ScreenOS Security Flaw
To my friends running ScreenOS from Juniper, please review this critical security notice.
These issues can affect any product or platform running ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20. The first issue allows unauthorized remote administrative access to the device over SSH or telnet. Exploitation of this vulnerability can lead to complete compromise of the affected system. The second issue may allow a knowledgeable attacker to decrypt encrypted VPN traffic.
UPGRADE AFFECTED SYSTEMS AS SOON AS PRACTICAL
Remember to read the new signing key warnings. Your hardware may need the new signing key installed prior to upgrade to boot properly from the new images.
WARNING: ScreenOS SIGNING KEY CHANGED IN AUGUST 2014 – VERIFY SYSTEMS BEFORE UPGRADE
Upgrade procedure
Preparation:
1-Download the new signing key from the Juniper support site
http://www.juniper.net/techpubs/hardware/netscreen-certifications/imagekey.zip
- Expand the zip file
- Verify the signing key checksum
example on linux
$ md5sum imagekey.cer
99def4b80b75ed65aad52a5fc3ed1131 imagekey.cer
Mac OSX use:
$ md5 imagekey.cer
MD5 (imagekey.cer) = 99def4b80b75ed65aad52a5fc3ed1131
Thanks to Ryan in the comments. Windows 7 hash check per:
https://technet.microsoft.com/en-us/library/dn520872.aspx
Get-FileHash imagekey.cer -Algorithm MD5
Other Windows you will need to download a check sum utility like this one from MS others are also available
https://support.microsoft.com/en-us/kb/889768
2-Download the ScreenOS Image 6.3R21 from the Support site
- Expand the zip file
- Verify the ScreenOS file checksum
MD5: 1974c20ed045b4de908a01221db63684
Upgrade procedure:
1-Pull a fresh configuraiton backup on all your devices to be sure you have a solid recovery point in case there are issues.
- Configuration > Update > Conifg File
Choose: Save to file
2-On the CLI verify which signing key is currently on the device. The new and correct signing key for ScreenOS 6.3R21 begins with 308201ad as shown below.
If the key begins with 308201ac then you MUST UPDATE THE IMAGE KEY BEFORE UPGRADING THE DEVICE.
ssg5-serial-> exec pki test skey
exec pki test <skey>.
Flash base = 0x51000000, Flash end = 0x0, sector size= 0x4000
KEY1 N/A len =433
308201ad02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651 magic1 = f7e9294b magic2=0
KEY2 N/A len =433
308201ad02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651 magic1 = f7e9294b magic2=0
KEY3 N/A len =433
308201ad02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651 magic1 = f7e9294b magic2=0
2-Upgrade the Image key: (if required)
- Configuration > Update > ScreenOS/Keys
Select the Image Signature Key update radio button
Choose file: the imagekey.cer
Select Apply button
3-Upgrade ScreenOS:
- Configuration > Update > ScreenOS/Keys
Select the Firmware Update radio button
Choose file: ssg5ssg20.6.3.0r21.0
Select Apply
The file will upload showing progress on the lower left
When complete it will apply and reboot taking about 5-10 minutes
3-When the device is available login and confirm the upgrade
Error: Bogus image – not authenticated!!!
This error will occur if you upgrade to the new ScreenOS image and still have the OLD signing key on your device. The boot screen on the console port will show this message:
********Invalid image!!!
********Bogus image – not authenticated!!!
Fips check failed
Done
To recover from this error and allow the device to boot you need to delete the signing key.
delete crypto auth-key
Then reboot the device and the new ScreenOS should load.
References:
Security notice
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713
Signing Key Articles
http://kb.juniper.net/InfoCenter/index?page=content&id=TSB16495
http://kb.juniper.net/InfoCenter/index?page=content&id=TSB16496
Originally Posted December 20, 2015
Last Revised on July 02, 2016
Mon December 21, 2015, 09:02:21
I just wanted to say Thank You for taking the time to post this guide.
It was very helpful and well written.
Happy hollidays 🙂
Mon December 21, 2015, 10:06:33
With Windows 7+ you can use powershell to generate the file hash, using Get-FileHash, supports SHA1, SHA256, SHA384, SHA512, MACTripleDES, MD5, and RIPEMD160. See https://technet.microsoft.com/en-us/library/dn520872.aspx
Would be something like
Get-FileHash imagekey.cer -Algorithm MD5
Mon December 21, 2015, 16:30:26
Thanks Ryan for the Windows 7 built in hash check. I’ve added that to the preparation instructions.
Steve
Tue December 22, 2015, 09:59:46
Let me first add my thanks for sharing these notes on upgrading ScreenOS. It does seem interesting that Juniper announces in August 2014 that they believe their code signing key could have been compromised, and then in December 2015, they notify everyone that all current versions have “unauthorized code” implanted. Hhmmm.
One aspect of this requirement to upgrade the signing keys is that it cannot be done for any ScreenOS system that has had “fips-mode” enabled. The web GUI does not offer the ability to upload new signing keys while in fips-mode, and TFTP is disabled as well.
For some devices, it is possible to use TFTP for boot loader and firmware updates using the physical console connection, but no procedure is documented for uploading the “imagekey.cer” file at boot time.
Another option might be to use SCP to upload the new “imagekey.cer” file. However, Juniper does not appear to provide any mechanism for installing new signing keys via SCP. Furthermore, I would urge extreme caution to anyone who wants to experiment, as this is one way to truly “brick” your device with no practical means of recovery. For example, uploading a saved config file via SCP to a ScreenOS device that is in “fips-mode” will brick the device, as the config file will not be correctly signed by the device. (I speak from painful experience.)
I hope this advisory is helpful to others, even though I cannot offer any options other than going through the process of restoring the device to factory defaults and starting over. In this case, you would really want a *text* copy of the installed configuration.
Tue December 22, 2015, 17:03:06
Thanks Chuck for the notes on FIPS mode. I’ve never worked with this and your description is helpful.
Obviously I agree about having that text config file as a backup. this is step one. Most of my clients sites are remote. So this config allows the quick dump onto a replacement device for shipping if the worst happens. And as you note gives you the option to go full factory reset and reload as well.
Steve
Thu January 21, 2016, 23:56:03
Hi, thank you for this helpful article
I wonder if old products like SSG5 version 6.0.0.1 is affected too?
thanks again
Sun January 24, 2016, 06:53:06
Elia,
No the older versions like 6.0 are not affected. the code is in the versions indicated in my title here.
6.2.0r15 through 6.2.0r18 and
6.3.0r12 through 6.3.0r20.
Tue March 01, 2016, 08:44:14
Hi,
I have a SSG140 device with backdated firmware, i want to update it to latest version, but i am unable to download from Juniper site, probably key issue, can you please provide me the downloaded firmware(6.3.0R21) copy?
Thanks
Mamun
Sat April 02, 2016, 06:18:34
Mamun,
To access the Juniper downloads for this you will need to open a ticket on the support site. Juniper is giving free updates to anyone, even if you have no contract, due to this issue.
Juniper.net > Support > Cases > Create new case
choose: Admin Service Case