Juniper has now completed the ScreenOS VPN updates with the removal of the DUAL_EC_DRBG and the ANSI X9.31 PRNG in ScreenOS 6.3r22<\/p>\n
http:\/\/forums.juniper.net\/t5\/Security-Incident-Response\/Juniper-Networks-Completes-ScreenOS-Update\/b…<\/a><\/p>\n Plan on downloading and updating systems accordingly.<\/p>\n To my friends running ScreenOS from Juniper, please review this critical security notice.<\/p>\n These issues can affect any product or platform running ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20.\u00a0 The first issue allows unauthorized remote administrative access to the device over SSH or telnet. Exploitation of this vulnerability can lead to complete compromise of the affected system.\u00a0 The second issue may allow a knowledgeable attacker to decrypt encrypted VPN traffic.<\/p>\n Remember to read the new signing key warnings.\u00a0 Your hardware may need the new signing key installed prior to upgrade to boot properly from the new images.<\/p>\n 1-Download the new signing key from the Juniper support site<\/p>\n http:\/\/www.juniper.net\/techpubs\/hardware\/netscreen-certifications\/imagekey.zip<\/a><\/p>\n example on linux<\/p>\n $ md5sum imagekey.cer<\/p>\n 99def4b80b75ed65aad52a5fc3ed1131\u00a0 imagekey.cer<\/p>\n Mac OSX use:<\/p>\n $ md5 imagekey.cer<\/p>\n MD5 (imagekey.cer) = 99def4b80b75ed65aad52a5fc3ed1131<\/p>\n Thanks to Ryan in the comments. \u00a0Windows 7 hash check per: Get-FileHash imagekey.cer -Algorithm MD5<\/p>\n Other Windows you will need to download a check sum utility like this one from MS others are also available<\/p>\n https:\/\/support.microsoft.com\/en-us\/kb\/889768<\/a><\/p>\n 2-Download the ScreenOS Image 6.3R21 from the Support site<\/p>\n MD5: 1974c20ed045b4de908a01221db63684<\/p>\n 1-Pull a fresh configuraiton backup on all your devices to be sure you have a solid recovery point in case there are issues.<\/p>\n Choose: Save to file<\/p>\n 2-On the CLI verify which signing key is currently on the device.\u00a0 The new and correct signing key for ScreenOS 6.3R21 begins with\u00a0 308201ad as shown below.<\/p>\n If the key begins with 308201ac then you MUST UPDATE THE IMAGE KEY BEFORE UPGRADING THE DEVICE.<\/p>\n ssg5-serial-> exec pki test skey<\/p>\n exec pki test <skey>.<\/p>\n Flash base = 0x51000000, Flash end = 0x0, sector size= 0x4000<\/p>\n KEY1\u00a0 N\/A len =433<\/p>\n \u00a0308201ad02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651 magic1 = f7e9294b magic2=0<\/p>\n KEY2\u00a0 N\/A len =433<\/p>\n \u00a0308201ad02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651 magic1 = f7e9294b magic2=0<\/p>\n KEY3\u00a0 N\/A len =433<\/p>\n \u00a0308201ad02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651 magic1 = f7e9294b magic2=0<\/p>\n 2-Upgrade the Image key: \u00a0(if required)<\/p>\n Select the Image Signature Key update radio button<\/p>\n Choose file: the imagekey.cer<\/p>\n Select Apply button<\/p>\n 3-Upgrade ScreenOS:<\/p>\n Select the Firmware Update radio button<\/p>\n Choose file: ssg5ssg20.6.3.0r21.0<\/p>\n Select Apply<\/p>\n The file will upload showing progress on the lower left<\/p>\n When complete it will apply and reboot taking about 5-10 minutes<\/p>\n 3-When the device is available login and confirm the upgrade<\/p>\n This error will occur if you upgrade to the new ScreenOS image and still have the OLD signing key on your device. \u00a0The boot screen on the console port will show this message:<\/p>\n ********Invalid image!!! Fips check failed To recover from this error and allow the device to boot you need to delete the signing key.<\/p>\n delete crypto auth-key<\/p>\n Then reboot the device and the new ScreenOS should load.<\/p>\n http:\/\/kb.juniper.net\/InfoCenter\/index?page=content&id=JSA10713<\/a><\/p>\n http:\/\/kb.juniper.net\/InfoCenter\/index?page=content&id=TSB16495<\/a><\/p>\nCritical ScreenOS Security Flaw<\/h1>\n
UPGRADE AFFECTED SYSTEMS AS SOON AS PRACTICAL<\/h3>\n
WARNING: ScreenOS SIGNING KEY CHANGED IN AUGUST 2014 – VERIFY SYSTEMS BEFORE UPGRADE<\/h3>\n
Upgrade procedure<\/h1>\n
Preparation:<\/h2>\n
\n
\nhttps:\/\/technet.microsoft.com\/en-us\/library\/dn520872.aspx<\/a><\/p>\n\n
Upgrade procedure:<\/h2>\n
\n
\n
\n
Error:\u00a0Bogus image – not authenticated!!!<\/h1>\n
\n********Bogus image – not authenticated!!!<\/p>\n
\nDone<\/p>\nReferences:<\/h1>\n
Security notice<\/h2>\n
Signing Key Articles<\/h2>\n