Researchers from two security firms have uncovered the password guarding one of the backdoors discovered in Juniper Networks’ ScreenOS, the operating system behind its NetScreen enterprise-grade firewalls.
Fox-IT and Rapid7 found the secret code, which was disguised to look like debug code, said Rapid7 chief research officer HD Moore.
“This password allows an attacker to bypass authentication through SSH and Telnet, as long as they know a valid username,” Moore said. “If you want to test this issue by hand, telnet or ssh to a Netscreen device, specify a valid username, and the backdoor password. If the device is vulnerable, you should receive an interactive shell with the highest privileges.”
Fox-IT was the first to find the password—needing six hours, it said, to do so—thought it did not publish it.
Hmmm. It took @foxit 6 hours to find the password for the ssh/telnet backdoor in the vulnerable Juniper firewalss. Patch now
— Ronald Prins (@cryptoron) December 18, 2015
Juniper released an emergency patch last Thursday closing the holes introduced by the two backdoors, one of which allows for passive decryption of VPN traffic moving through Juniper’s appliances, and the other allows for remote administrative access over SSH or Telnet.
Juniper senior vice president and chief information security officer Bob Worrall said the two vulnerabilities were discovered during a recent internal code review and affect ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20. The earliest affected version was released Sept. 12, 2012.
Moore, however, said that the authentication backdoor is not present in older versions of ScreenOS, adding that it’s likely the 6.2.0 series is not affected, but was vulnerable to the VPN vulnerability.
“We were also unable to identify the authentication backdoor in versions 6.3.0r12 or 6.3.0r14. We could confirm that versions 6.3.0r17 and 6.3.0r19 were affected, but were not able to track down 6.3.0r15 or 6.3.0r16,” Moore said. “This is interesting because although the first affected version was released in 2012, the authentication backdoor did not seem to get added until a release in late 2013 (either 6.3.0r15, 6.3.0r16, or 6.3.0r17).”
Juniper has made new versions of the affected firmware available, sans backdoors, and admins are urged to patch immediately.
Heightening the concern was the revelation that Juniper’s affected NetScreen appliances utilize the maligned Dual_EC_DRBG random number generator that has long been considered backdoored and was front-and-center of allegations that the NSA was involved in compromising the algorithm. In December 2013, Reuters alleged in a report that RSA Security was paid $10 million in a secret contract with the NSA to use Dual_EC which the spy agency could easily crack.
Cryptographer Adam Langley on Saturday published a report on his personal site that summarizes much of the chatter around the backdoors and the discovery of Dual_EC. Specifically, Langley surmises that the presence of the Dual_EC could explain how passive decryption of VPN traffic is possible.
Dual_EC is regarded as a poor choice for a RNG, given that it’s performance is sluggish, and the output is predictable given enough resources and knowledge about how it works. Juniper’s Dual_EC implementation, however, does not use pre-defined NSA-introduced points, suggesting, as Langley wrote: “[Juniper] used a backdoored RNG but changed the locks. Then this attack might be explained by saying that someone broke in and changed the locks again.”
In other words, it could be that someone else used the NSA’s backdoor in Dual_EC to attack Juniper.
“We’re not sure that’s actually what happened, but it seems like a reasonable hypothesis at this point. If it’s correct, this is fairly bananas. Dual-EC is not a reasonable RNG…Huge compromises were made in its design in order to meet its primary objective: to be a NOBUS passive backdoor. (NOBUS is an intelligence community term for ‘nobody but us,’ i.e. other parties shouldn’t be able to use the backdoor). Why would it be used in ScreenOS in the first place?”