Networking equipment maker Juniper Networks revealed this week that it had found spying code planted in some models of its firewalls. The products affected by the malicious code include those running ScreenOS, a Juniper operating system that runs several of the company’s appliances that act as firewalls and enable VPNs (virtual private networks).
The vulnerable versions of ScreenOS include 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20, according to an advisory the company released on its Web site.
The unauthorized code was found during a recent internal review, according to a blog post by Bob Worrall, Juniper’s chief information officer. Worrall didn’t say where the code might have came from, or whether the company suspects some kind of state-sponsored tampering. The National Security Agency (NSA) reportedly has targeted other major networking manufacturers in the past, including Cisco and Huawei.
Two years ago, the German magazine Der Spiegel reported that the NSA had used malware called Feedthrough that targeted Juniper firewalls. The malware was capable of surviving various reboots and software upgrades.
Juniper today denied having anything to do with the vulnerabilities, adding that it has not collaborated with any government agency to install backdoors in its systems. “As we’ve stated previously, Juniper Networks takes allegations of this nature very seriously,” a company spokesperson told Forbes. “To be clear, we do not work with governments or anyone else to purposely introduce weaknesses or vulnerabilities into our products.
Internal Review
An internal review by Juniper turned up a pair of problems, one of which could allow remote administrative access to a ScreenOS device over telnet or SSH. While log files would reflect a login attempt, Juniper acknowledged that a skilled attacker would probably remove these entries from the log file, thus wiping out signs indicating that the device had been compromised. The second vulnerability would enable an attacker who can monitor VPN traffic to decrypt it.
Worrall said that as of yesterday, the company had not received any reports of the vulnerabilities being exploited — but he acknowledged in an earlier security bulletin that the company had no way to detect whether they had been.
Patches Released
Juniper has released critical patches to fix the problems for owners of those appliances, and recommended that all customers update their systems and apply the patched releases as soon as possible. More information and guidance on applying this update to systems can be found on the company’s Security Incident Response Web site at http://advisory.juniper.net.
The company said that users should employ access lists or firewall filters to limit management access to their Juniper devices only to trusted, internal, administrative networks or hosts to reduce the attack vulnerability of their networking equipment.
The earliest affected version of ScreenOS, 6.2.0r15, was released in September 2012, according to Juniper’s release notes. Cyberattackers often go after firewalls because they tend to monitor all data traffic flowing in and out of an organization.