Zero-day vulnerability in Juniper ScreenOS

Information disclosure

Revealed during source code review by the vendor.

Vulnerability details

Advisory: SB2015121701 - Two backdoors in Juniper ScreenOS

Vulnerable component: Juniper ScreenOS

CVE-ID: CVE-2015-7756

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C

CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm


The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to usage of insecure encryption keys. A remote attacker can with ability to monitor VPN traffic can intercept and decrypt it.

Successful exploitation of the vulnerability results in information disclosure on the target system.

Note: the vulnerability was disclosed as part of two backdoors during internal source code audit.