Juniper Finds Backdoor that Decrypts VPN Traffic

Juniper Networks has removed “unauthorized code” capable of decrypting VPN traffic that it found in ScreenOS, which runs many of its enterprise-grade NetScreen firewalls.

Juniper Networks today has released an emergency patch that removes what it’s calling “unauthorized code” from ScreenOS that could allow attackers to decrypt VPN traffic from NetScreen devices.

Juniper has not commented on the origin of the code it found. However, Juniper’s products were singled out, among others, in the National Security Agency’s product catalog developed by its ANT division. In a December 2013 article written by Jacob Appelbaum, Judit Horchert and Christian Stocker in Der Spiegel, the NSA’s FEEDTHROUGH implant was tailored for Juniper firewalls and gave the U.S. government persistent backdoor access to these high-end networking machines. NetScreen appliances are high-end enterprise firewall and VPN products, used also by telecommunications carriers and in data centers; ScreenOS is the underlying operating system running those appliances.

Juniper senior vice president and chief information security officer Bob Worrall said today that two vulnerabilities were discovered during a recent internal code review affecting ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20. The earliest affected version was released Sept. 12, 2012, less than a year before the Snowden revelations began.

One is the unauthorized code enabling VPN decryption, while the other allows for remote administrative access to a device over SSH or telnet. Juniper mentions that such system access would be logged and that password authentication would be successful, but an attacker would be able to alter the logs and remove the entries.

“Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS,” Worrall said. “At this time, we have not received any reports of these vulnerabilities being exploited; however, we strongly recommend that customers update their systems and apply the patched releases with the highest priority.”

Juniper said that SRX and other Junos-based systems are not affected; Junos is the company’s operating system for routing, switching and security.

Suggested articles

Discussion

  • Rodger Sweet on

    Can you tell me specifically what version has the security fix for this issue for the SSG series
    • Khürt Williams on

      Read the article. The link was in the first sentence.
  • August on

    In short Juniper Networks outed an outdated NSA legacy VPN decryption code. Appealed to NSA to be allowed to create a patch as the tipping point of the code creating more harm then good as overtime this has been discovered and is well known in select communities of interest stripping away any/most value to NAS.
  • Brandon Sikes on

    The fix is mitigated in ScreenOS 6.3.0r21.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.