Bad actors race to exploit Juniper firewall vulnerability
‘Rogue Code’ Found in Juniper Networks Software.
(Reuters) – The U.S. government is investigating unauthorized code inserted in software from Juniper Networks, which experts warned could be a “back door” used to spy on the networking equipment maker’s customers, an official told Reuters on Friday. Encryption backdoors have been a hot topic in the last few years—and the controversial issue got even hotter after the terrorist attacks in Paris and San Bernardino, when it dominated media headlines.
Juniper, a major manufacturer of networking equipment, said on Thursday it found spying code planted in certain models of its firewalls, an alarming discovery that echoes of state-sponsored tampering. A senior U.S. official who declined to be named because of the sensitivity of the matter said the Department of Homeland Security is working with Juniper as it investigates the issue.
The affected products are those running ScreenOS, one of Juniper’s operating systems that runs on a range of appliances that act as firewalls and enable VPNs. The official said the White House National Security Council had taken an interest in Juniper’s rare disclosure that somebody had inserted rogue code into its software.
The code, which appears to have been in multiple versions of the company’s ScreenOS software going back to at least August 2012, would have allowed attackers to take complete control of Juniper NetScreen firewalls running the affected software. He did not indicate where Juniper thinks the code originated. “At this time, we have not received any reports of these vulnerabilities being exploited; however, we strongly recommend that customers update their systems and apply the patched releases with the highest priority,” Worrell wrote.
Juniper warned customers on Thursday that it had uncovered “unauthorized code” in the software that runs its firewalls, saying it could be exploited to allow an attacker to unscramble encrypted communications. It also would allow attackers, if they had ample resources and skills, to separately decrypt encrypted traffic running through the Virtual Private Network, or VPN, on the firewalls. “During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections,” Bob Worrall, the companies’ CIO wrote in a post. “Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS.” ‘This is a very good showcase for why backdoors are really something governments should not have in these types of devices because at some point it will backfire.’ Juniper released patches for the software yesterday and advised customers to install them immediately, noting that firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are vulnerable.
Although log files would reflect a login attempt, “a skilled attacker would likely remove these entries from the log file, thus effectively eliminating any reliable signature that the device had been compromised,” Juniper wrote. Release notes for 6.2.0r15 show that version being released in September 2012, while release notes for 6.3.0r12 show that the latter version was issued in August 2012. “The weakness in the VPN itself that enables passive decryption is only of benefit to a national surveillance agency like the British, the US, the Chinese, or the Israelis,” says Nicholas Weaver, a researcher at the International Computer Science Institute and UC Berkeley. “You need to have wiretaps on the internet for that to be a valuable change to make [in the software].” But the backdoors are also a concern because one of them—a hardcoded master password left behind in Juniper’s software by the attackers—will now allow anyone else to take command of Juniper firewalls that administrators have not yet patched, once the attackers have figured out the password by examining Juniper’s code. VPNs are encrypted connections between a user and another computer and are often used by companies to allow secure remote access to their systems for employees who are traveling.
Weaver says this depends on the exact nature of the VPN backdoor. “If it was something like the Dual EC, the backdoor doesn’t actually get you in, … you also need to know the secret. The compromise of such a prominent vendor with code specifically designed for spying echoes operations by the NSA described in documents leaked in 2013 by former contractor Edward Snowden. If Juniper did use Dual EC, an algorithm long-known to be vulnerable, and this is part of the backdoor in question, it underscores that threat of repurposing by other actors even more. The first backdoor Juniper found would give an attacker administrative-level or root privileges over the firewalls—essentially the highest-level of access on a system—when accessing the firewalls remotely via SSH or telnet channels. “Exploitation of this vulnerability can lead to complete compromise of the affected system,” Juniper noted.
The first is to ensure that the right connections have access to a company or government agency’s network; the other is to provide secured VPN access to remote workers or others with authorized access to the network. Speculation in the security community about who might have installed the unauthorized code centers on the NSA, though it could have been another nation-state actor with similar capabilities, such as the UK, China, Russia, or even Israel. An NSA spy tool catalogue leaked to Der Spiegel in 2013 described a sophisticated NSA implant known as FEEDTROUGH that was designed to maintain a persistent backdoor in Juniper firewalls. FEEDTROUGH, Der Spiegel wrote, “burrows into Juniper firewalls and makes it possible to smuggle other NSA programs into mainframe computers…..” It’s also designed to remain on systems even after they’re rebooted or the operating system on them is upgraded.
FEEDTROUGH is a firmware implant—a kind of “aftermarket” spy tool installed on specific targeted devices in the field or before they’re delivered to customers. Naturally, some in the community have questioned whether these were backdoors that Juniper had voluntarily installed for a specific government and decided to disclose only after it became apparent that the backdoor had been discovered by others.
Share this article:
Other articles of the category "Android":
Feds require consumer warnings about older Java so...
BMW and Nissan roll out dual-plug EV chargers acro...
Oracle settles charges that it misled you on Java ...
Fallout 4 Addiction: Man Loses Job And Wife, Sues ...
Fallout 4 Addiction: Man Loses Job And Wife, Sues ...
Tesla Cars Will Get Free Spotify Premium&...
Microsoft pulls “Hey Cortana” feature ...
Microsoft disables Cortana for Android voice featu...