Discover and Monitor Juniper Vulnerability CVE-2015-7755 Exploits with Splunk

Hello Security Ninjas,

The recent Juniper firewall vulnerability (CVE-2015-7755) is another version of what has been coined as a “high-impact vulnerability”. Such vulnerabilities are characterized as having a wide distribution and high risk of exploitation. Previous examples include Heartbleed (CVE-2014-0160) and Shellshock (CVE-2014-6271). This vulnerability is a little different as it affects a commercial product and more specifically a network security device, putting many enterprise organizations at substantial risk. Kenneth Westin, Specialist in our security division, made a review of the latest Juniper OS Vulnerability:

According to Juniper the ScreenOs vulnerability (CVE-2015-7755) allows unauthorized remote administrative access to the firewall, which if exploited can lead to complete compromise of the affected device. The vulnerability is present in ScreenOS 6.2.0r15 through 6.2.0r18, and 6.3.0r12 through 6.3.0r20. This vulnerability is now critical to patch as the exploit consists of a single system level password that is now public.

Action recommendations

When dealing with a high impact vulnerability such as this, the following are the steps organizations should take immediately:

  1. Identify what systems are affected by the vulnerability
  2. If patches are available, patch vulnerable systems immediately
  3. Identify if possible whether an active exploit was used targeting the vulnerability in your environment
  4. Identify what changes occurred on exploited systems and if there are signs of a pivot from those systems to others within the environment
  5. Once the compromised assets and accounts are identified steps should be taken immediately to remediate these systems

Detect active exploits

Finding if the exploit has been used against an asset in your environment is easy with Splunk. Juniper has provided information regarding indicators that would exist in logs if the exploit was triggered:

Normal login by user username1:

2015-12-17 09:00:00 system warn 00515 Admin user username1 has logged on via SSH from …..
2015-12-17 09:00:00 system warn 00528 SSH: Password authentication successful for admin user ‘username1’ at host …

Compromised login by user username2:

2015-12-17 09:00:00 system warn 00515 Admin user system has logged on via SSH from …..
2015-12-17 09:00:00 system warn 00528 SSH: Password authentication successful for admin user ‘username2’ at host …

By doing an easy search in Splunk you can quickly identify the successful exploitation of a given asset in that environment. The search can also be saved and then scheduled to alert any potential future attempts.


sourcetype=”netscreen:firewall” 00515 AND “Admin user system”

It is important to point out that in Juniper’s advisory they state:

Note that a skilled attacker would likely remove these entries from the local log file, thus effectively eliminating any reliable signature that the device had been compromised.

This is the case only if the logs reside on the host system on the local log file. This illustrates the importance of passing log data to a host based log intelligence tool such as Splunk, particularly when dealing with security data.

There is also a Splunk Add-On for Juniper to make it easy to ingest Juniper logs into Splunk if you are not already doing so. For Splunk Enterprise Security customers they can easily find the “system” user in the pre-built dashboards.

Happy Splunking


Matthias Maier is Product Marketing Director at Splunk, as well as a technical evangelist in EMEA, responsible for communicating Splunk's go-to market strategy in the region. He works closely with customers to help them understand how machine data reveals new insights across application delivery, business analytics, IT operations, Internet of Things, and security and compliance. Matthias has a particular interest and expertise in security, and is the author of the Splunk App for IP Reputation. Previously, Matthias worked at TIBCO LogLogic and McAfee as a senior technical consultant. He is also a regular speaker at conferences on a range of enterprise technology topics.