Juniper Networks backdoor password 'hackable' within six hours

Juniper Networks own ScreenOS software harboured unauthorised code, questions of possible use by NSA.

Juniper Networks backdoor password 'hackable' within six hours
Juniper Networks backdoor password 'hackable' within six hours

Juniper Networks has presented itself with a clean bill of health after highlighting a vulnerability in its own Netscreen products. The firm had previously announced the discovery of unauthorised code in the ScreenOS software used in its Netscreen series enterprise firewalls.

An initial security advisory from the firm explained that a backdoor in the Virtual Private Network (VPN) technology used by Juniper would allow a passive eavesdropper to decrypt traffic. A second backdoor would then allow an attacker to bypass the secure authentication layer.

Six hours to crack

According to a blog post by security solutions firm Rapid 7, “Shortly after Juniper posted the advisory, an employee of Fox-IT stated that they were able to identify the backdoor password in six hours.”

Juniper Networks has since confirmed that it will stop using the software code in question that leads to this backdoor access. Some sources suggest that the code in question here is used by the National Security Agency for surveillance purposes. The code depends on numbers being generated by Dual Elliptic Curve technology, an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields

According to a statement from Juniper Networks itself, “We will replace Dual_EC and ANSI X9.31 in ScreenOS 6.3 with the same random number generation technology currently employed across our broad portfolio of Junos OS products. We intend to make these changes in a subsequent ScreenOS software release, which will be made available in the first half of 2016.” Junos OS is the main operating system for most of Juniper's current products.

Juniper Networks chief information security officer Bob Worral says that once the vulnerabilities were identified the firm launched an investigation into the matter and worked to develop and issue patched releases for the latest versions of ScreenOS.

A ‘detailed investigation'

In addition to removing the unauthorised code and making patched releases available, Worral explains that Juniper undertook a ‘detailed investigation' with a ‘respected security organisation' to examine ScreenOS and Junos OS source code.

“After a detailed review, there is no evidence of any other unauthorised code in ScreenOS nor have we found any evidence of unauthorised code in Junos OS. The investigation also confirmed that it would be much more difficult to insert the same type of unauthorised code in Junos OS,” said Worral.

Further, the firm insists that it has identified additional changes it will make to ScreenOS to enhance the robustness of the ScreenOS random number generation subsystem. Juniper Networks states that it is continuing to monitor the security vulnerabilities thrown up by this story and makes the following statement on its own Knowledge Center pages.

“ScreenOS does make use of the Dual_EC_DRBG standard, but not in a way that should be vulnerable to the possible issues described by NIST. Instead of using the NIST recommended curve points, ScreenOS uses self-generated basis points.” NIST is the US National Institute of Standards and Technology.

Speaking to SCMagazineUK.com for this story, technical director for EMEA at managed Security-as-a-Service company Alert Logic Richard Cassidy said that this exploit from one of the most reputable and capable networking and security vendors on the market highlights why our approach to overall security and threat protection must rely less on the tools and products we put in place and more on the detailed analysis of the data our existing infrastructure produces from a log and activity perspective.

“If everyone trusted the locks on the front door to their house, then we wouldn't have CCTV in place to monitor that door. The same goes for IT security, we need to put in place processes and expertise to monitor our existing infrastructure for activity that would lead to identify unknown code exploits or zero-day threat activity,” said Cassidy.

He contends that it can be ‘nigh on impossible' for vendors to account for every security exploit eventuality, especially in core features and functions such as VPN capability and encryption, which rely on industry standard drafts and implementations at a code level.

“However,” said Cassidy, “all vendors need to take a greater degree of care in consistent analysis of their own platforms against commonly targeted functions, putting R&D effort into assuring the security assurance of their own platforms, as opposed to rigorous focus on new features and content primarily.”

Co-founder of technology analyst firm RedMonk James Governor also spoke to SCMagazineUK.com for this story. “Security is certainly not getting any easier, as we see risks exploding, from organised crime, non-state and also state actors – and unholy alliances between them,” he said.

Governor further stated that, “Back doors are rife, which is why it's more important than ever to be open about risks, threats and fixes. Open source methods and approaches are the solution, not the problem.”

Non-trivial exploitation (that means bad)

According to Rapid7, detecting the exploitation of this issue is non-trivial, but there are a couple things users (security officers and system administrators) can do. Juniper has provided guidance on what the logs from a successful intrusion would look like.