NETWORK SECURITY

  • 12/18/2015
    3:00 PM
  • Rating: 
    0 votes
    +
    Vote up!
    -
    Vote down!

Juniper Discovers Unauthorized Code In Its Firewall OS

Code was designed to decrypt VPN communication and enable remote administrative control of devices.

Security researchers today expressed deep concern over the disclosure by Juniper Networks this week that it had discovered unauthorized code in its ScreenOS firewall operating system that could allow an attacker to decrypt VPN communications or take complete administrative control of a compromised system.

In an out-of-cycle advisory issued yesterday, Juniper senior vice president and CIO Bob Worrall said the company discovered the code during an internal review recently and had moved quickly to patch the vulnerabilities. “We launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS,” Worrall said.

According to the company, all Juniper NetScreen devices running versions OS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 of ScreenOS are vulnerable and need to be patched immediately.

In a separate advisory, Juniper said the code causes two security issues. “The first issue allows unauthorized remote administrative access to the device over SSH or telnet. Exploitation of this vulnerability can lead to complete compromise of the affected system,” the company noted. Certain entries in the log file would indicate if someone had exploited the vulnerability, Juniper said.

Read the full article here on Dark Reading.


Comments

unauthorized code

This is a particularly unsettling piece of the story (emphasis added by me): "The second issue allows someone with the know-how to monitor and decrypt VPN traffic. Enterprises would have no way of knowing if the vulnerability has been exploited to snoop in on their encrypted VPN traffic."

Re: unauthorized code

Marcia,

Very Good point indeed!

What I (as a Security Professional) am interested in knowing is who was the person/Entity that discovered this Vulnerability in the first place.

Was this spyware/Bugware discovered by Juniper's In-house Security Team (when they were doing their routine code reviews) or did it come from a 3rd Party Researcher who disclosed this Vulnerability to Juniper and then(hopefully) gave Juniper time to make the neccessary upgrades.

This is a point which can't be taken for Granted today.

If Juniper Discovered this internally;it becomes easier(in the future) for Current and Prospective consumers to trust the Security behind their Networking Infrastructure.

If not,who can tell whether there are'nt many-many more such Spyware/Bugware embedded into their System?

The other thing I would be really interested in learning is how long it took Juniper to first discover the flaws and then patch them.

If it took them more than 3 months then I would'nt trust my Critical Infrastructure/Data on Juniper Networks like ever.

As far as the issue of Snooping on VPN Traffic,I know for a fact that the NSA has broken through most of the Common Encryption Protocols out there (which go to secure VPN Traffic today) ;even TOR users no longer feel very safe (inspite of the constant upgrades they make to their Browser).So it would'nt be beyond what the NSA(& that Gigantic datacentre in UTAH) are capable of achieving today.

 

Regards

Ashish.

Re: unauthorized code

I take that there is a cost associated with conducing internal periodic reviews. However, it is always better to incur these costs to discover unauthorized codes rather than, having a breach that compromises the data of millions of customers (Target data breach). It would be good if more firms conducted internal reviews as it would strengthen the security environment of the world. 

Re: unauthorized code

What is interesting in all of this is the fact that Huawei is "blacklisted" in the US because of alleged security concerns.  Hmmm......  It was mentioned somewhere that we don't know how long the code was in there.  But the real question is how it got there in the first place. And have other vendors' products also been comparmised and they haven't noticed it as yet.

Re: unauthorized code

I agree, it's pretty ironic considering all the allegations against Huawei (which must have some schadenfreude now).

Hopefully Juniper releases more details about this soon. 

Re: unauthorized code

Hi, but there are some ISP which are swapping all the existing equipement from the fronthaul to core by Huawei only equipements. about backdoors, i think that is not a problem now.

Re: unauthorized code

PMIT,

LOL!!!

This is so so funny and so true!

You will be surprised to know that Huawei networking Gear has found immense acceptance and popularity all across the Developing world today.

Do you feel this would have been the case if they were definitely Spying on all Consumer Data?

I most certainly don't think so and I won't be surprised if one of the major US-centric Vendors Lobbibed some of the Congressmen to push through this ban previously(its just that in the US they call such Financial Contributions as Lobbying).

Re: unauthorized code

Brian,

Ultimately most folks in Enterprises do cost benefit Analysis and also in this case-What happens if I lose my data?

How much is it really worth to an attacker/ adversary?

What my personal feeling is that most Enterprises tend to understand the Costs associated with such an issue-Aggressively in some cases.

That needs to stop and we need a more realistic analysis of the ROI and costs involved with a Breach.

thats when everything will hopefully change.

 

Re: unauthorized code

@Ashu001 that is a good point. Cost-benefit Analysis can be viewed as a good starting point. Firms will have to assign the appropriate weightages to the advantages and disadvantages. If a business offers a wide range of products to a wide range of customers then, the ripple effects can also create disadvantages in other product lines. For instance, if a manufacturer's switches are blacklisted due to security concerns, customers will be vary of the manufacturer's smartphones as well, etc. 

Re: unauthorized code

Hi everyone,

Nice post Jai, thanks.

When i'm reading something like this, one of the first ideas that comes to my mind is to test this vulnerability. Indeed, i've have a small netscreen firewall the SSG5, i need to check the soft version and if possible try something :).

Re: unauthorized code

Yes you are right, this can allow hackers to gain administrative access to NetScreen devices and to decrypt VPN connections. But this incident once again raised questions, did they work with the NSA to add backdoors into its system. This might include high number users to quickly act as NetScreen users running ScreenOS 6.2.0r15 through 6.2.0r18, and 6.3.0r12 through 6.3.0r20 are affected, and require patching.

 

Re: unauthorized code

Aditshar1,

The Security Blogosphere is abuzz discussing this very topic currently.

And most folks seem to be veering towards the fact that Yes,Juniper did work with the NSA to add Backdoors in their Networking Gear.

If that is true,then what's to stop the NSA from doing the same with Cisco or Dell or HP today?

The possibilities are absolutely mind-boggling!!! Is it any wonder most Privacy-minded folks are crying foul over the New CISA law?

Its most unfortunate that the country that was built on the basis of Liberty and freedom as two of its main building blocks has to resort to such under-hand tactics to basically suppress rebellion of any sorts whatsoever.

 

Cisco

Cisco said in a blog post yesterday that it's performing additional security reviews of its products as a result of the Juniper breach, but has no indication of any unauthorized code.

Re: Cisco

Hi Marcia,

That's a good new. But as we know, now, when we are talking about vendors products security lacks we must exclude all backdoors, why, because, each need to follow / monitor / track its products and maybe influence it remotely, we can hide code everywhere, even inside the ASIC.

Re: Cisco

Hi Jerome! You're right, attackers can infiltrate every layer. We're still waiting for more information on this from Juniper, but security researchers have figured some things out according to this report.

Re: Cisco

Hi Marcia,

Thanks for the link, very informative !

If some strongest features/technologies/tools used by vendors nowadays come from these kind of organisations how these kind of problems can't appear :) just an idea!

Re: Cisco

Great, so we are waiting. Maybe that will encourage others vendors start review their code and let's public now about the result.

Re: Cisco

Hi Jerome -- Juniper posted a blog post late Friday with an update on this that provides some details on its security review of its products in the wake of the breach. "We will replace Dual_EC and ANSI X9.31 in ScreenOS 6.3 with the same random number generation technology currently employed across our broad portfolio of Junos OS products," wrote Bob Worrall, SVP CIO at Juniper.

 

Re: Cisco

Jerome,

If you do read all the Research done on this Backdoor issue HERE-rpw.sh/blog/2015/12/21/the-backdoored-backdoor

It becomes quite clear that the NSA did really put the Backdoor in the Algorithm in the hope that atleast some folks would take the bait.

It should not be surprising to most folks that the Vulnerability in the Algorithm was known since 2007 but none of the Vendors did anything to patch it before this issue broke out and garnered massive media attention.

You are quite right that spyware could be inserted anywhere in the code but to do so obviously and brazenly points the finger directly at the authorities involved.