Most U.S. government agencies have until Feb. 4 to audit their IT infrastructure for the use of backdoored Juniper Networks’ Netscreen firewalls.
Letters went out late last week from the House Oversight & Government Reform Committee to the leaders of the various agencies asking them to provide the committee with a report on whether the Juniper products and what versions are in use, how the vulnerability was found, and whether it was patched.
The committee has government-wide oversight and investigative responsibilities. Netscreen firewalls are enterprise-grade firewall and VPN appliances that are used in large business and government networks.
On Dec. 17, the networking vendor released an emergency patch for ScreenOS, the operating system holding up Netscreen appliances. The company said it had discovered “unauthorized code” in ScreenOS that opened the door for the decryption of VPN traffic moving through the appliances. Juniper also found a second backdoor, that allows for remote administrative access to Netscreen devices over SSH or telnet.
Juniper chief information security officer Bob Worrall said the vendor was not aware of public exploits, but the code was introduced in September 2012 and documents taken by National Security Agency whistleblower Edward Snowden and published in a German magazine said that the intelligence agency had developed implants tailored for Juniper firewalls giving the NSA persistent access to the appliances.
It didn’t take long for security researchers at Fox-IT and Rapid7 to discover and publish the secret password buried in the ScreenOS source code granting remote admin access.
Almost in parallel, researchers discovered in Juniper documentation that the company had included the Dual_EC_DRBG random number generator, which has long been considered backdoored and was front-and-center of allegations that the NSA was involved in compromising the algorithm. The weaknesses Dual_EC, experts said, could provide enough of an opening to decrypt VPN traffic.
Juniper, on Jan. 8, said it would remove Dual_EC and the ANSI X9.31 algorithms from ScreenOS sometime in the first half of this year. But a team of cryptography and security experts said that Juniper’s use of Dual_EC dates back to at least 2009, more than a year after the revelation that the NSA had likely backdoored Dual_EC.
Stephen Checkoway, assistant professor of computer science at the University of Illinois at Chicago, told Threatpost that he and his colleagues on this investigation looked at dozens of versions of NetScreen and learned that ANSI X9.31 was used exclusively until ScreenOS 6.2 when Juniper added Dual_EC. It also changed the size of the nonce used with ANSI X9.31 from 20 bytes to 32 bytes for Dual_EC, giving an attacker the necessary output to predict the PRNG output.
“And at the same time, Juniper introduced what was just a bizarre bug that caused the ANSI generator to never be used and instead just use the output of Dual_EC. They made all of these changes in the same version update.”
Checkoway said that Juniper’s introduction of the bug, which was discovered by researcher Willem Pinckaers, broke the way that the code had worked in ScreenOS 6.1 and earlier.
Dual_EC is considered a weak RNG, slow compared to others available at the time, and it also contains a bias, experts said. The bias indicates random numbers aren’t so random and are likely related to a second set of input controlled by a third party that would have enough information to predict the output of the RNG.
