Juniper Finds Backdoor In NetScreen Firewalls, Possibly Already Exposed By NSA Whistleblower In 2013

Juniper Networks announced that its ScreenOS operating system, which is used to manage NetScreen firewalls sold by the company, was found to contain “unauthorized code” (backdoor) that would give an attacker complete control over the system, as well as the capability to decrypt VPN connections undetected. Systems such as SWIFT (Society for Worldwide Interbank Financial Telecommunication), which allow banks to exchange financial transaction information with each other, are protected by NetScreen firewalls.

The first backdoor allows an attacker remote administrative access to the NetScreen devices over SSH or telnet. The action would leave log entries in the system, but skilled attackers could also delete those entries from the log file, thus eliminating the evidence that they were ever there.

The second one, which is independent of the first, allows the attackers to decrypt VPN traffic, and there is no way to detect this vulnerability was exploited, according to Juniper.

Juniper said that the NetScreen firewalls running ScreenOS 6.2.0r15 through 6.2.0r18, and 6.3.0r12 through 6.3.0r20, have been impacted by the malware, and they require immediate patching. The company also said that no other systems have been found to be similarly vulnerable so far.

The malware in question sounds quite similar to the NSA backdoor uncovered in classified NSA documents sent to Der Spiegel two years ago by an unnamed whistleblower (possibly not Snowden):

“In the case of Juniper, the name of this particular digital lock pick is ‘FEEDTROUGH.’ This malware burrows into Juniper firewalls and makes it possible to smuggle other NSA programs into mainframe computers. Thanks to FEEDTROUGH, these implants can, by design, even survive ‘across reboots and software upgrades.’ In this way, U.S. government spies can secure themselves a permanent presence in computer networks. The catalog states that FEEDTROUGH ‘has been deployed on many target platforms.’”

Juniper said that the internal audit that found the malware was done only "recently," so it’s not clear whether it’s the same malware or even if Juniper ever tried to fix the one mentioned by Der Spiegel.

If it is the same backdoor, then Juniper will have to say why it has waited two years before investigating the information from Der Spiegel’s documents and potentially finding this vulnerability much earlier. We’ve contacted Juniper Networks for a response, and this was the reply:

During a recent internal code review, Juniper discovered unauthorized code in ScreenOS® that could allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic. Once we identified these vulnerabilities, we launched an investigation and worked to develop and issue patched releases for the impacted devices. We also reached out to affected customers, strongly recommending that they update their systems and apply the patched releases with the highest priority.The patched releases also address an SSH bug in ScreenOS that could allow an attacker to conduct DoS attacks against ScreenOS devices. It is independent of the first issue.More information on these issues and the fix can be found in our JSAs available here.”

Juniper said that network administrators should update to the latest ScreenOS, which includes the fixes for the announced vulnerabilities. There is no workaround other than patching the software. The company's recommendation is to “use access lists or firewall filters to limit management access to the device only from trusted, internal, administrative networks or hosts” to reduce the exploitable attack surface of critical networking equipment.

Update, 12/21/15, 7:20pm PT: Juniper published an update on which versions of ScreenOS are affected by the two vulnerabilities:

"Administrative Access (CVE-2015-7755) only affects ScreenOS 6.3.0r17 through 6.3.0r20. VPN Decryption (CVE-2015-7756) only affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20."

______________________________________________________________________

Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.

You can follow him at @lucian_armasu. Follow us on Facebook, Google+, RSS, Twitter and YouTube.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Hanin33
    unpatched for 2 years by mandate? is this even surprising?
    Reply
  • DalaiLamar
    Just wonder how many backdoors laid by the NSA are still lying elsewhere in the internet ecosystem .
    Reply
  • rantoc
    That's what you get when trusting an US software company that have been paid by NSA to add a little "extra" to it...
    Reply
  • bit_user
    17161380 said:
    That's what you get when trusting an US software company that have been paid by NSA to add a little "extra" to it...
    Is there any evidence of that? I'm not saying it didn't happen, but you should really cite evidence, when making these claims. Wild conspiracy theories are actually counterproductive, by fostering cynicism and distracting from real conspiracies and corruption.

    At least in the US, tech companies are truly independent of the government, and many have upgraded their security since the Snowden revelations. In China, many of the big tech firms are state-owned enterprises, where there's a direct conflict of interest between government control and privacy.
    Reply
  • dthx
    That's exaclty why the US Govt. is forbidding US companies to acquire Huwaei network equipments. They are equipped with the wrong type of backdoors ;-)
    Reply
  • toadhammer
    17161380 said:
    That's what you get when trusting an US software company that have been paid by NSA to add a little "extra" to it...
    Is there any evidence of that? I'm not saying it didn't happen, but you should really cite evidence, when making these claims. Wild conspiracy theories are actually counterproductive, by fostering cynicism and distracting from real conspiracies and corruption.
    Through personal experience, I'm willing to say it's not all just conspiracy theory. Seeing others' experience, I am not willing to be more specific.

    While companies may be independent of governments, companies are not necessary averse to getting "help" to gain or close a deal.
    Reply
  • bit_user
    17165198 said:
    That's exaclty why the US Govt. is forbidding US companies to acquire Huwaei network equipments. They are equipped with the wrong type of backdoors ;-)
    I see what you did there, except it was Huawei that was trying to acquire US firms. You might update your joke to say the NSA won't allow it, since they want to keep their backdoors in these devices. If a Chinese state-owned-enterprise bought a US tech firm, they'd probably change all the backdoors, or at least the keys.

    Speaking of which, I'm a bit skeptical that NSA is responsible for this, because their mandate includes security of US infrastructure and interests. I'd think/hope that they'd make any of their backdoors difficult to exploit by anyone else. But I'm pretty sure most backdoors used by the NSA are ones they discover - not created by them.

    Anyway, I really wish (but don't expect) Juniper would say how the backdoors were added. Were they added to some open source libraries they use? Were they added by a bad employee? Or did hackers actually gain access to Juniper's source control servers and add them directly.
    Reply
  • bit_user
    17166923 said:
    While companies may be independent of governments, companies are not necessary averse to getting "help" to gain or close a deal.
    Many governments require backdoors in internet services (not so sure about infrastructure, since they could control that by conventional means). They're usually more secure, though. Remember, what they want is to have control, but what they don't want is for hackers to gain that control. So, a purpose-built backdoor should both be obscure and use strong security. That's why I think this was added by hackers (though they could have been working for a certain government who probably doesn't use Juniper's products).
    Reply
  • toadhammer
    17171221 said:
    17166923 said:
    While companies may be independent of governments, companies are not necessary averse to getting "help" to gain or close a deal.
    Many governments require backdoors in internet services (not so sure about infrastructure, since they could control that by conventional means). They're usually more secure, though. Remember, what they want is to have control, but what they don't want is for hackers to gain that control. So, a purpose-built backdoor should both be obscure and use strong security. That's why I think this was added by hackers (though they could have been working for a certain government who probably doesn't use Juniper's products).

    These black bag projects pretty much follow the way any other software development works. If there is a rush to put something in place for a particular event/operation/deadline, things get a bit rushed. The top priority isn't actually security, it's secrecy and keeping things unnoticed. Again, like anywhere else, after things are in place it's not a priority to spend more time/money on improving the security. All that matters at that point is whether it works and has the features they want.
    Reply