Last week was a busy one for leading network and security appliance manufacturers FireEye and Juniper Networks. Critical flaws were discovered in hardware products from both vendors, bringing the distressing but unavoidable question to the forefront once again: what recourse is there when the very security mechanisms in place to protect our data assets are themselves highly flawed?
The past few days have seen the releases of highly critical security updates from the two vendors: a patch to address a vulnerability in FireEye's popular NX, EX, AX and FX line of network security devices, and a patched version of Juniper Networks' ScreenOS. Customers have been desperately awaiting resolution since the independent discovery of the flaws last week, in Juniper's case—by its own security team. The FireEye security device flaw was discovered by security researchers at Google Project Zero.
FireEye Device Exploitation
Google Project Zero's blog explains the security flaw in full detail. In essence, a critical vulnerability in FireEye's NX, EX, AX, and FX network security devices with security content versions 427.334 or older could allow an attacker to root a device through an email phishing scheme.
Anatomy of the FireEye device exploit. Source: Googleprojectzero.blogspot.com.
The Fix: Details here—it's worth noting that the fix is applied through the device's automated security content update. If the device is set to manual update, the fix will not be applied automatically.
Juniper Networks Backdoor and VPN Vulnerability
Juniper issued this announcement last week regarding the discovery of two ScreenOS vulnerabilities during an internal code review:
- CVE-2015-7755: enables the compromise of the device via an unauthorized remote access vulnerability over SSH/telnet.
- CVE-2015-7756: allows an attacker to gain access to and silently decrypt/monitor VPN traffic through two backdoors.
Anatomy of the Juniper Networks firewall backdoor. Source: Wired.com.
The Fix: Download the appropriate update at the ScreenOS software release download page.
These recently discovered vulnerabilities attest to the fact that all technology is flawed—even security products. Subsequently, the best cyber defense model is one that takes a layered approach to security, combining continuous security monitoring and validation with traditional security solutions like IDPS and firewalls. UpGuard's platform is capable of comprehensive vulnerability scanning and monitoring across complex, heterogenous environments, for all node types: servers, databases, and even network appliances made by vendors such as RedEye and Juniper Networks'. Try it for free— the first 10 nodes are on us.
All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Blog >
The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Blog >