[CVE-2015-7755] Backdoor in Juniper/ScreenOS
Steven M. Bellovin
smb at cs.columbia.edu
Fri Dec 18 16:52:42 UTC 2015
On 18 Dec 2015, at 7:28, Dave Taht wrote:
> I think "unauthorized code" is still plausible newspeak for "bug".
> Why blame finger foo when you can blame terrorists?
It looks like two different holes, one a back door for unauthorized
console login and one to somehow leak VPN encryption keys. There are
hints that that latter involved tinkering with certain constants in
the crypto (https://twitter.com/matthew_d_green/status/677871004354371584);
that would squarely point the finger at some government's intelligence
I don't know who did it, but neither 'bug' nor 'developer debugging
code' sounds plausible here.
More information about the NANOG