Just before Christmas, Juniper announced it discovered unauthorized code in its ScreenOS operating system, used for its firewall networking equipment.
As Juniper described at that moment, some versions of the ScreenOS operating system included a hidden administrative account (CVE-2015-7755) and contained a vulnerability that allowed attackers to decrypt VPN traffic (CVE-2015-7756).
Juniper released patches to fix these issues, but taking into account that very few network administrators patch their systems right away, many companies may probably still be running vulnerable versions of ScreenOS.
US Government trying to assess the damage caused by Juniper equipment on its network
In letters sent out to various US agencies, the US Senate is now trying to find out who did their job and who’s still lagging behind. All US agencies have until February 4, 2016, to report on the status of their ScreenOS patching operations so that the US Government can understand the actual extent of the damage these vulnerabilities cause(d) in its infrastructure.
The agencies that received these letters are:
→ US Department of Defense
→ US Department of State
→ US Department of Labor
→ US Department of Education
→ US Department of Energy
→ US Department of Commerce
→ US Department of Agriculture
→ US Department of Transportation
→ US Department of Health and Human Services
→ US Department of Treasury
→ US Department of the Interior
→ US Department of Veteran Affairs
→ US Department of Housing and Urban Development
→ US Social Security Administration
→ US Office of Personnel Management
→ US Environmental Protection Agency
→ US Nuclear Regulatory Commission
→ US General Services Administration
→ US Agency for International Development
→ US Small Business Administration
→ US Securities and Exchange Commission
→ Consumer Financial Protection Bureau
→ National Science Foundation