Juniper ScreenOS devices had default backdoor password: Rapid7

23 Dec 2015 | Author: | No comments yet »

“Backdoor” computer hack may have put government data at risk.

The flaw was discovered Thursday in software called ScreenOS, from Juniper Networks, which enables VPN (virtual private network) connections used by many businesses and agencies for secure access to their networks.Encryption backdoors have been a hot topic in the last few years—and the controversial issue got even hotter after the terrorist attacks in Paris and San Bernardino, when it dominated media headlines.Juniper Networks, a US government subcontractor, has been compromised in a hack that could have exposed countless classified communications over the past three years.

In a security bulletin posted on Juniper’s website, it warned that the flaw “allows unauthorized remote administrative access to the device over SSH or telnet. The hackers, who have yet to be officially identified, introduced code to create a backdoor on systems commonly used by government employees — many of whom presumably have high security clearances. But despite all the attention focused on backdoors lately, no one noticed that someone had quietly installed backdoors three years ago in a core piece of networking equipment used to protect corporate and government systems around the world.

Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS.” According to the tech site Engadget, the “backdoor” which could have given unauthorized users access to Juniper’s software had been present since 2012. On Thursday, tech giant Juniper Networks revealed in a startling announcement that it had found “unauthorized” code embedded in an operating system running on some of its firewalls. CNN quotes an anonymous government official who explains that it’s the hacking equivalent to “stealing a master key to get into any government building.” The sophistication of the back door’s installation and the targets lead the FBI to believe that it’s the work of a foreign government. CBS News Justice and Homeland Security Correspondent Jeff Pegues reports government investigators have been in contact with Juniper to see if government computers were potentially affected. Release notes for 6.2.0r15 show that version being released in September 2012, while release notes for 6.3.0r12 show that the latter version was issued in August 2012. “The weakness in the VPN itself that enables passive decryption is only of benefit to a national surveillance agency like the British, the US, the Chinese, or the Israelis,” says Nicholas Weaver, a researcher at the International Computer Science Institute and UC Berkeley. “You need to have wiretaps on the internet for that to be a valuable change to make [in the software].” But the backdoors are also a concern because one of them—a hardcoded master password left behind in Juniper’s software by the attackers—will now allow anyone else to take command of Juniper firewalls that administrators have not yet patched, once the attackers have figured out the password by examining Juniper’s code.

But it’s not yet clear whether hackers have taken advantage of the opening, or what damage might have been done. “At this time, we have not received any reports of these vulnerabilities being exploited,” Juniper said Friday. Ronald Prins, founder and CTO of FOX-IT, a Dutch security firm, said the patch released by Juniper provides hints about where the master password backdoor is located in the software. Cybersecurity expert Michael DeCesare, CEO of ForeScout Technologies, said Juniper will need to determine whether it was an inside or outside job. “It will take time for their IT department to really understand how the attack occurred,” DeCesare told CBS News in an email. “What’s so troubling about this breach is that the very software that you trust to keep you safe becomes the vehicle into your organization for the attackers. By reverse-engineering the firmware on a Juniper firewall, analysts at his company found the password in just six hours. “Once you know there is a backdoor there, … the patch [Juniper released] gives away where to look for [the backdoor] … which you can use to log into every [Juniper] device using the Screen OS software,” he told WIRED. “We are now capable of logging into all vulnerable firewalls in the same way as the actors [who installed the backdoor].” But there is another concern raised by Juniper’s announcement and patches—any other nation-state attackers, in addition to the culprits who installed the backdoors, who have intercepted and stored encrypted VPN traffic running through Juniper’s firewalls in the past, may now be able to decrypt it, Prins says, by analyzing Juniper’s patches and figuring out how the initial attackers were using the backdoor to decrypt it. “If other state actors are intercepting VPN traffic from those VPN devices, … they will be able to go back in history and be able to decrypt this kind of traffic,” he says.

Weaver says this depends on the exact nature of the VPN backdoor. “If it was something like the Dual EC, the backdoor doesn’t actually get you in, … you also need to know the secret. If Juniper did use Dual EC, an algorithm long-known to be vulnerable, and this is part of the backdoor in question, it underscores that threat of repurposing by other actors even more. And Juniper noted that a skilled attacker would likely remove even this cryptic entry from log files to further eliminate any indication that the device had been compromised.

The second backdoor would effectively allow an attacker who has already intercepted VPN traffic passing through the Juniper firewalls to decrypt the traffic without knowing the decryption keys. The company said it discovered the backdoors during an internal code review, but it didn’t say if this was a routine review or if it had examined the code specifically after receiving a tip that something suspicious was in it. Speculation in the security community about who might have installed the unauthorized code centers on the NSA, though it could have been another nation-state actor with similar capabilities, such as the UK, China, Russia, or even Israel. An NSA spy tool catalogue leaked to Der Spiegel in 2013 described a sophisticated NSA implant known as FEEDTROUGH that was designed to maintain a persistent backdoor in Juniper firewalls. FEEDTROUGH, Der Spiegel wrote, “burrows into Juniper firewalls and makes it possible to smuggle other NSA programs into mainframe computers…..” It’s also designed to remain on systems even after they’re rebooted or the operating system on them is upgraded.

FEEDTROUGH is a firmware implant—a kind of “aftermarket” spy tool installed on specific targeted devices in the field or before they’re delivered to customers. Naturally, some in the community have questioned whether these were backdoors that Juniper had voluntarily installed for a specific government and decided to disclose only after it became apparent that the backdoor had been discovered by others.

Here you can write a commentary on the recording "Juniper ScreenOS devices had default backdoor password: Rapid7".

* Required fields
Twitter-news
Our partners
Follow us
Contact us
Our contacts

dima911@gmail.com

ICQ: 423360519

About this site