Juniper Backdoor – What Did Really Happen?

Did you know that it is possible for a leading network device to run for more than three years with a hidden backdoor? Well, this happened to Juniper Networks. On Thursday, the company announced that it has discovered an unauthorized code in its Firewall systems. Juniper’s own Netscreen Firewall, network equipment that is used to secure Governmental institutions, privately held companies, and intelligence agencies around the world, appeared to have two backdoors for as many as 3 years.

Which part of the Network is affected?

This is not a secret code that can be easily wiped out by an antivirus. Juniper announced the sad news that it had found an unauthorized code embedded in the operating system of some of its firewalls. These are the same firewalls that ought to protect Government and Network Critical data. Worse is that the unauthorized code appears to be in multiple versions of the companies ScreenOS software since the year 2012. ScreenOS is the operating system for Junipers Netscreen firewalls. It is not clear whether the backdoor was present in other Juniper Oses or devices. It is a fact that the backdoor impacts Netscreen firewalls using ScreenOS 6.2.Or15 through 6.2.Or18 and 6.3.Or12 through 6.3.Or20.

What is the Risk of the secret code?

The major risk is that any attacker can take complete control of Juniper Network Netscreen firewalls running the affected software. This means if a skilled attacker hacks into the system, they would be allowed to separately decrypt encrypted traffic running through the Virtual Private Network or VPN on the Firewalls. This is bad because the attacker will then have access to all data of the Network whether it is private data or not. This is a sophisticated breach and it is believed to be the work of foreign Governments, China and Russia are among the top suspects in this matter. Juniper sells computer Network equipment and routers to big companies all over the world. All companies that use Juniper equipment are at risk.

“On behalf of the entire Juniper Security Response Team, please know that we take this matter very seriously and are making every effort to address these issues,” wrote Juniper CIO Bob Worrall in a blog post on the issue.

How did the backdoor occur?

Juniper systems are vulnerable and at high risk due to the way they have been designed. The Juniper system allows anyone to decrypt VPN traffic and not leave any trace of their actions. This is a major flop because no one will have activity logs and thus a record of who did what to the system and when. The Juniper system also allows anyone to completely compromise a device via unauthorized remote access vulnerability over SSH or telnet. An attacker or hacker could remotely log into the firewall with administrator privileges, decrypt and spy on the supposed to be secure traffic, and then even remove any trace of their actions. No one will know that the system has been hacked.

What is the Solution?

Juniper has released patches for the software and has advised customers to install them immediately. Anyone running the firewall mentioned earlier is urged to take immediate action and install the patches. This is a major relieve to all companies using Juniper equipment. We hope that Juniper can fix all their vulnerabilities so that there is no   more backdoor risk in the future.

Who is Responsible?

Today Wired published a post regarding a new discovery by cyber security researchers that link NSA to the mentioned events. The agency might be responsible for allowing to create a security gaps in a system that has been exploited by attackers. According to the Ralf-Philipp Weinmann’s, founder of Comsecuris, evidence Juniper had nearly the same encryption backdoor that NSA crafted years ago. The researcher published his findings on the blog. The encryption backdoor dubbed Dual_EC is a random number generator that used by Juniper for encrypting VPN traffic in NetScreen firewalls.

Matthew Green, a cryptographer and professor at Johns Hopkins University, commented on the issue:

I don’t want to say that Juniper did this on purpose. But if you wanted to create a deliberate backdoor based on Dual_EC and make it look safe, while also having it be vulnerable, this is the way you’d do it. The best backdoor is a backdoor that looks like a bug, where you look at the thing and say, ‘Whoops, someone forgot a line of code or got a symbol wrong.’ … It makes it deniable. But this bug happens to be sitting there right next to this incredibly dangerous NSA-designed random number generator, and it makes that generator actually dangerous where it might not have been otherwise

You can read about update procedure at this page.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.