Congress Gives Federal Agencies Two Weeks To Tally Backdoored Juniper Kit

itwbennett writes: In an effort to gauge the impact of the recent Juniper ScreenOS backdoors on government organizations, the House of Representatives is questioning around two dozen U.S. government departments and federal agencies. The U.S. House of Representatives' Committee on Oversight and Government Reform sent letters to the agencies on Jan. 21, asking them to identify whether they used devices running the affected ScreenOS versions, to explain how they learned about the issues and whether they took any corrective actions before Juniper released patches and to specify when they applied the company's patches. The questioned organizations have until Feb. 4 to respond and deliver the appropriate documents, a very tight time frame giving that 'the time period covered by this request is from January 1, 2009 to the present.'

2009 time frame is bogus

Here's the letter to SSA:

Dear Ms. Colvin:
On December 17, 2015, Juniper Networks announced in a press release that it discovered
“unauthorized code that could allow a knowledgeable attacker to gain administrative access” to
certain devices and “decrypt VPN connections.“

On December 20, 2015, Juniper Networks issued a patch to the aforementioned software
vulnerability to their ScreenOS platform. In a related press release, Juniper Networks listed
vulnerable devices and described the potential exposure ifthis vulnerability was exploited:

0 Administrative Access (CVE-2015-7755) affecting devices rtmning ScreenOS 6.3
0r17 through 6/3 0r20; and 0 VPN decryption (CVE-2015-7756) affecting devices rtmning ScreenOS 6.20r15
through 6.2or18, ScreenOS 6.30rl2 through 6/3 0r2O.2

So that the Committee may better understand the extent of the ScreenOS vulnerabilities
and related effects on the cybersecurity posture of federal agencies that use the ScreenOS
platform, please provide the following documents and information as soon as possible, but no
later than 5:00 p.m. on February 4, 2016:

1. Documents sufficient to identify whether your agency, or any component agency,
used the affected Juniper ScreenOS platfonns;
2. Documents and communications referring or relating to how the agency, or its
components, discovered the vulnerability and ifany corrective measures were taken
prior to deploying the software patch issued by Juniper Networks on December 20,
2015;
3. Documents and communications referring or relating to what version(s) of ScreenOS
your agency, or any component agency, used; and
4. Documents sufficient to show when your agency, or any component agency,
deployed the software patch issued by Jtmiper Networks on December 20, 2015.

The Committee on Oversight and Government Refonn is the principal oversight
committee of the House of Representatives and may at “any time” investigate “any matter” as set
forth in House Rule X.

When producing documents to the Committee, please deliver production sets to the
Majority staff in room 2157 of the Rayburn House Ofce Building and the Minority staff in
room 2471 of the Rayburn House Office Building. The Committee prefers, ifpossible, to
receive all documents in electronic format. An attachment to this letter provides additional
information about responding to the Committee’s request.

Please contact Mike Flynn of the Majority staff at (202) 225-5074 or Brian Quinn ofthe
Minority staff at (202) 225-5051 with any questions about this request. Thank you for your
attention to this matter.
[signatures]

There's no mention of getting information as far back as 2009 in the letter. That bit was from some attached boilerplate rules about how the committee wants the report formatted, media, etc. Other letters that have nothing to do with the Juniper firewall issue have the same boilerplate rules attached. The committee only wants the information at stated in their four items. I don't why the report for the TFA put in that bit about the 2009 timeframe other than to exaggerate the work each agency is going to have to do.