Vulnerability Details : CVE-2015-7756
The encryption implementation in Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b, 6.3.0r13 before 6.3.0r13b, 6.3.0r14 before 6.3.0r14b, 6.3.0r15 before 6.3.0r15b, 6.3.0r16 before 6.3.0r16b, 6.3.0r17 before 6.3.0r17b, 6.3.0r18 before 6.3.0r18b, 6.3.0r19 before 6.3.0r19b, and 6.3.0r20 before 6.3.0r21 makes it easier for remote attackers to discover the plaintext content of VPN sessions by sniffing the network for ciphertext data and conducting an unspecified decryption attack.
Exploit prediction scoring system (EPSS) score for CVE-2015-7756
Probability of exploitation activity in the next 30 days: 2.58%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 89 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2015-7756
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2015-7756
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-7756
-
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713
Juniper Networks - 2015-12 Out of Cycle Security Bulletin: ScreenOS: Multiple Security issues with ScreenOS (CVE-2015-7755, CVE-2015-7756)Vendor Advisory
-
http://arstechnica.com/security/2015/12/unauthorized-code-in-juniper-firewalls-decrypts-encrypted-vpn-traffic/
“Unauthorized code” in Juniper firewalls decrypts encrypted VPN traffic | Ars Technica
-
https://github.com/hdm/juniper-cve-2015-7755
GitHub - hdm/juniper-cve-2015-7755: Notes, binaries, and related information from analysis of the CVE-2015-7755 & CVE-2015-7756 issues within Juniper ScreenOS
-
http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors/
Secret Code Found in Juniper's Firewalls Shows Risk of Government Backdoors | WIRED
-
http://www.securitytracker.com/id/1034489
Juniper ScreenOS Unauthorized Code Lets Remote Users Gain Administrative Access and Also Decrypt VPN Data - SecurityTracker
-
https://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554
Important Announcement about ScreenOS® - J-Net Community
-
http://www.forbes.com/sites/thomasbrewster/2015/12/18/juniper-says-it-didnt-work-with-government-to-add-unauthorized-code-to-network-gear/
Juniper Says It Didn't Work With Government To Add 'Unauthorized Code' To Network Gear
-
http://www.kb.cert.org/vuls/id/640184
VU#640184 - Juniper ScreenOS contains multiple vulnerabilities
-
https://adamcaudill.com/2015/12/17/much-ado-about-juniper/
Much ado about Juniper — Adam Caudill
Products affected by CVE-2015-7756
- cpe:2.3:o:juniper:screenos:6.3.0:r17:*:*:*:*:*:*
- cpe:2.3:o:juniper:screenos:6.3.0:r20:*:*:*:*:*:*
- cpe:2.3:o:juniper:screenos:6.3.0:r18:*:*:*:*:*:*
- cpe:2.3:o:juniper:screenos:6.3.0:r19:*:*:*:*:*:*
- cpe:2.3:o:juniper:screenos:6.2.0r17:*:*:*:*:*:*:*
- cpe:2.3:o:juniper:screenos:6.2.0r18:*:*:*:*:*:*:*
- cpe:2.3:o:juniper:screenos:6.2.0r15:*:*:*:*:*:*:*
- cpe:2.3:o:juniper:screenos:6.2.0r16:*:*:*:*:*:*:*
- cpe:2.3:o:juniper:screenos:6.3.0:r15:*:*:*:*:*:*
- cpe:2.3:o:juniper:screenos:6.3.0:r16:*:*:*:*:*:*
- cpe:2.3:o:juniper:screenos:6.3.0:r12:*:*:*:*:*:*
- cpe:2.3:o:juniper:screenos:6.3.0:r14:*:*:*:*:*:*