Juniper Finds Backdoor In NetScreen Firewalls, Possibly Already Exposed By NSA Whistleblower In 2013
Juniper Networks announced that its ScreenOS operating system, which is used to manage NetScreen firewalls sold by the company, was found to contain “unauthorized code” (backdoor) that would give an attacker complete control over the system, as well as the capability to decrypt VPN connections undetected. Systems such as SWIFT (Society for Worldwide Interbank Financial Telecommunication), which allow banks to exchange financial transaction information with each other, are protected by NetScreen firewalls.
The first backdoor allows an attacker remote administrative access to the NetScreen devices over SSH or telnet. The action would leave log entries in the system, but skilled attackers could also delete those entries from the log file, thus eliminating the evidence that they were ever there.
The second one, which is independent of the first, allows the attackers to decrypt VPN traffic, and there is no way to detect this vulnerability was exploited, according to Juniper.
Juniper said that the NetScreen firewalls running ScreenOS 6.2.0r15 through 6.2.0r18, and 6.3.0r12 through 6.3.0r20, have been impacted by the malware, and they require immediate patching. The company also said that no other systems have been found to be similarly vulnerable so far.
The malware in question sounds quite similar to the NSA backdoor uncovered in classified NSA documents sent to Der Spiegel two years ago by an unnamed whistleblower (possibly not Snowden):
“In the case of Juniper, the name of this particular digital lock pick is ‘FEEDTROUGH.’ This malware burrows into Juniper firewalls and makes it possible to smuggle other NSA programs into mainframe computers. Thanks to FEEDTROUGH, these implants can, by design, even survive ‘across reboots and software upgrades.’ In this way, U.S. government spies can secure themselves a permanent presence in computer networks. The catalog states that FEEDTROUGH ‘has been deployed on many target platforms.’”
Juniper said that the internal audit that found the malware was done only "recently," so it’s not clear whether it’s the same malware or even if Juniper ever tried to fix the one mentioned by Der Spiegel.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
If it is the same backdoor, then Juniper will have to say why it has waited two years before investigating the information from Der Spiegel’s documents and potentially finding this vulnerability much earlier. We’ve contacted Juniper Networks for a response, and this was the reply:
During a recent internal code review, Juniper discovered unauthorized code in ScreenOS® that could allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic. Once we identified these vulnerabilities, we launched an investigation and worked to develop and issue patched releases for the impacted devices. We also reached out to affected customers, strongly recommending that they update their systems and apply the patched releases with the highest priority.The patched releases also address an SSH bug in ScreenOS that could allow an attacker to conduct DoS attacks against ScreenOS devices. It is independent of the first issue.More information on these issues and the fix can be found in our JSAs available here.”
Juniper said that network administrators should update to the latest ScreenOS, which includes the fixes for the announced vulnerabilities. There is no workaround other than patching the software. The company's recommendation is to “use access lists or firewall filters to limit management access to the device only from trusted, internal, administrative networks or hosts” to reduce the exploitable attack surface of critical networking equipment.
Update, 12/21/15, 7:20pm PT: Juniper published an update on which versions of ScreenOS are affected by the two vulnerabilities:
"Administrative Access (CVE-2015-7755) only affects ScreenOS 6.3.0r17 through 6.3.0r20. VPN Decryption (CVE-2015-7756) only affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20."
______________________________________________________________________
Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.
You can follow him at @lucian_armasu. Follow us on Facebook, Google+, RSS, Twitter and YouTube.
-
DalaiLamar Just wonder how many backdoors laid by the NSA are still lying elsewhere in the internet ecosystem .Reply -
rantoc That's what you get when trusting an US software company that have been paid by NSA to add a little "extra" to it...Reply -
bit_user
Is there any evidence of that? I'm not saying it didn't happen, but you should really cite evidence, when making these claims. Wild conspiracy theories are actually counterproductive, by fostering cynicism and distracting from real conspiracies and corruption.17161380 said:That's what you get when trusting an US software company that have been paid by NSA to add a little "extra" to it...
At least in the US, tech companies are truly independent of the government, and many have upgraded their security since the Snowden revelations. In China, many of the big tech firms are state-owned enterprises, where there's a direct conflict of interest between government control and privacy.
-
dthx That's exaclty why the US Govt. is forbidding US companies to acquire Huwaei network equipments. They are equipped with the wrong type of backdoors ;-)Reply -
toadhammer
Through personal experience, I'm willing to say it's not all just conspiracy theory. Seeing others' experience, I am not willing to be more specific.
Is there any evidence of that? I'm not saying it didn't happen, but you should really cite evidence, when making these claims. Wild conspiracy theories are actually counterproductive, by fostering cynicism and distracting from real conspiracies and corruption.17161380 said:That's what you get when trusting an US software company that have been paid by NSA to add a little "extra" to it...
While companies may be independent of governments, companies are not necessary averse to getting "help" to gain or close a deal. -
bit_user
I see what you did there, except it was Huawei that was trying to acquire US firms. You might update your joke to say the NSA won't allow it, since they want to keep their backdoors in these devices. If a Chinese state-owned-enterprise bought a US tech firm, they'd probably change all the backdoors, or at least the keys.17165198 said:That's exaclty why the US Govt. is forbidding US companies to acquire Huwaei network equipments. They are equipped with the wrong type of backdoors ;-)
Speaking of which, I'm a bit skeptical that NSA is responsible for this, because their mandate includes security of US infrastructure and interests. I'd think/hope that they'd make any of their backdoors difficult to exploit by anyone else. But I'm pretty sure most backdoors used by the NSA are ones they discover - not created by them.
Anyway, I really wish (but don't expect) Juniper would say how the backdoors were added. Were they added to some open source libraries they use? Were they added by a bad employee? Or did hackers actually gain access to Juniper's source control servers and add them directly. -
bit_user
Many governments require backdoors in internet services (not so sure about infrastructure, since they could control that by conventional means). They're usually more secure, though. Remember, what they want is to have control, but what they don't want is for hackers to gain that control. So, a purpose-built backdoor should both be obscure and use strong security. That's why I think this was added by hackers (though they could have been working for a certain government who probably doesn't use Juniper's products).17166923 said:While companies may be independent of governments, companies are not necessary averse to getting "help" to gain or close a deal.
-
toadhammer 17171221 said:
Many governments require backdoors in internet services (not so sure about infrastructure, since they could control that by conventional means). They're usually more secure, though. Remember, what they want is to have control, but what they don't want is for hackers to gain that control. So, a purpose-built backdoor should both be obscure and use strong security. That's why I think this was added by hackers (though they could have been working for a certain government who probably doesn't use Juniper's products).17166923 said:While companies may be independent of governments, companies are not necessary averse to getting "help" to gain or close a deal.
These black bag projects pretty much follow the way any other software development works. If there is a rush to put something in place for a particular event/operation/deadline, things get a bit rushed. The top priority isn't actually security, it's secrecy and keeping things unnoticed. Again, like anywhere else, after things are in place it's not a priority to spend more time/money on improving the security. All that matters at that point is whether it works and has the features they want.