Juniper Networks announced that its ScreenOS operating system, which is used to manage NetScreen firewalls sold by the company, was found to contain “unauthorized code” (backdoor) that would give an attacker complete control over the system, as well as the capability to decrypt VPN connections undetected. Systems such as SWIFT (Society for Worldwide Interbank Financial Telecommunication), which allow banks to exchange financial transaction information with each other, are protected by NetScreen firewalls.
The first backdoor allows an attacker remote administrative access to the NetScreen devices over SSH or telnet. The action would leave log entries in the system, but skilled attackers could also delete those entries from the log file, thus eliminating the evidence that they were ever there.
The second one, which is independent of the first, allows the attackers to decrypt VPN traffic, and there is no way to detect this vulnerability was exploited, according to Juniper.
Juniper said that the NetScreen firewalls running ScreenOS 6.2.0r15 through 6.2.0r18, and 6.3.0r12 through 6.3.0r20, have been impacted by the malware, and they require immediate patching. The company also said that no other systems have been found to be similarly vulnerable so far.
The malware in question sounds quite similar to the NSA backdoor uncovered in classified NSA documents sent to Der Spiegel two years ago by an unnamed whistleblower (possibly not Snowden):
“In the case of Juniper, the name of this particular digital lock pick is ‘FEEDTROUGH.’ This malware burrows into Juniper firewalls and makes it possible to smuggle other NSA programs into mainframe computers. Thanks to FEEDTROUGH, these implants can, by design, even survive ‘across reboots and software upgrades.’ In this way, U.S. government spies can secure themselves a permanent presence in computer networks. The catalog states that FEEDTROUGH ‘has been deployed on many target platforms.’”
Juniper said that the internal audit that found the malware was done only "recently," so it’s not clear whether it’s the same malware or even if Juniper ever tried to fix the one mentioned by Der Spiegel.
If it is the same backdoor, then Juniper will have to say why it has waited two years before investigating the information from Der Spiegel’s documents and potentially finding this vulnerability much earlier. We’ve contacted Juniper Networks for a response, and this was the reply:
During a recent internal code review, Juniper discovered unauthorized code in ScreenOS® that could allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic. Once we identified these vulnerabilities, we launched an investigation and worked to develop and issue patched releases for the impacted devices. We also reached out to affected customers, strongly recommending that they update their systems and apply the patched releases with the highest priority.The patched releases also address an SSH bug in ScreenOS that could allow an attacker to conduct DoS attacks against ScreenOS devices. It is independent of the first issue.More information on these issues and the fix can be found in our JSAs available here.”
Juniper said that network administrators should update to the latest ScreenOS, which includes the fixes for the announced vulnerabilities. There is no workaround other than patching the software. The company's recommendation is to “use access lists or firewall filters to limit management access to the device only from trusted, internal, administrative networks or hosts” to reduce the exploitable attack surface of critical networking equipment.
Update, 12/21/15, 7:20pm PT: Juniper published an update on which versions of ScreenOS are affected by the two vulnerabilities:
"Administrative Access (CVE-2015-7755) only affects ScreenOS 6.3.0r17 through 6.3.0r20. VPN Decryption (CVE-2015-7756) only affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20."
______________________________________________________________________
Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.
You can follow him at @lucian_armasu. Follow us on Facebook, Google+, RSS, Twitter and YouTube.