Juniper Networks announced that its ScreenOS operating system, which is used to manage NetScreen firewalls sold by the company, was found to contain “unauthorized code” (backdoor) that would give an attacker complete control over the system, as well as the capability to decrypt VPN connections undetected. Systems such as SWIFT (Society for Worldwide Interbank Financial Telecommunication), which allow banks to exchange financial transaction information with each other, are protected by NetScreen firewalls.
The first backdoor allows an attacker remote administrative access to the NetScreen devices over SSH or telnet. The action would leave log entries in the system, but skilled attackers could also delete those entries from the log file, thus eliminating the evidence that they were ever there.
The second one, which is independent of the first, allows the attackers to decrypt VPN traffic, and there is no way to detect this vulnerability was exploited, according to Juniper.
Juniper said that the NetScreen firewalls running ScreenOS 6.2.0r15 through 6.2.0r18, and 6.3.0r12 through 6.3.0r20, have been impacted by the malware, and they require immediate patching. The company also said that no other systems have been found to be similarly vulnerable so far.
The malware in question sounds quite similar to the NSA backdoor uncovered in classified NSA documents sent to Der Spiegel two years ago by an unnamed whistleblower (possibly not Snowden):
“In the case of Juniper, the name of this particular digital lock pick is ‘FEEDTROUGH.’ This malware burrows into Juniper firewalls and makes it possible to smuggle other NSA programs into mainframe computers. Thanks to FEEDTROUGH, these implants can, by design, even survive ‘across reboots and software upgrades.’ In this way, U.S. government spies can secure themselves a permanent presence in computer networks. The catalog states that FEEDTROUGH ‘has been deployed on many target platforms.’”
Juniper said that the internal audit that found the malware was done only "recently," so it’s not clear whether it’s the same malware or even if Juniper ever tried to fix the one mentioned by Der Spiegel.
If it is the same backdoor, then Juniper will have to say why it has waited two years before investigating the information from Der Spiegel’s documents and potentially finding this vulnerability much earlier. We’ve contacted Juniper Networks for a response, and this was the reply:
During a recent internal code review, Juniper discovered unauthorized code in ScreenOS® that could allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic. Once we identified these vulnerabilities, we launched an investigation and worked to develop and issue patched releases for the impacted devices. We also reached out to affected customers, strongly recommending that they update their systems and apply the patched releases with the highest priority.The patched releases also address an SSH bug in ScreenOS that could allow an attacker to conduct DoS attacks against ScreenOS devices. It is independent of the first issue.More information on these issues and the fix can be found in our JSAs available here.”
Juniper said that network administrators should update to the latest ScreenOS, which includes the fixes for the announced vulnerabilities. There is no workaround other than patching the software. The company's recommendation is to “use access lists or firewall filters to limit management access to the device only from trusted, internal, administrative networks or hosts” to reduce the exploitable attack surface of critical networking equipment.
Update, 12/21/15, 7:20pm PT: Juniper published an update on which versions of ScreenOS are affected by the two vulnerabilities:
"Administrative Access (CVE-2015-7755) only affects ScreenOS 6.3.0r17 through 6.3.0r20. VPN Decryption (CVE-2015-7756) only affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20."
Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.
You can follow him at @lucian_armasu. Follow us on Facebook, Google+, RSS, Twitter and YouTube.
At least in the US, tech companies are truly independent of the government, and many have upgraded their security since the Snowden revelations. In China, many of the big tech firms are state-owned enterprises, where there's a direct conflict of interest between government control and privacy.
While companies may be independent of governments, companies are not necessary averse to getting "help" to gain or close a deal.
Speaking of which, I'm a bit skeptical that NSA is responsible for this, because their mandate includes security of US infrastructure and interests. I'd think/hope that they'd make any of their backdoors difficult to exploit by anyone else. But I'm pretty sure most backdoors used by the NSA are ones they discover - not created by them.
Anyway, I really wish (but don't expect) Juniper would say how the backdoors were added. Were they added to some open source libraries they use? Were they added by a bad employee? Or did hackers actually gain access to Juniper's source control servers and add them directly.
These black bag projects pretty much follow the way any other software development works. If there is a rush to put something in place for a particular event/operation/deadline, things get a bit rushed. The top priority isn't actually security, it's secrecy and keeping things unnoticed. Again, like anywhere else, after things are in place it's not a priority to spend more time/money on improving the security. All that matters at that point is whether it works and has the features they want.