Juniper Networks has admitted that it has found “unauthorised” code embedded in an operating system running on some of its firewalls.
The code, which appears to have been in multiple versions of the company’s ScreenOS software going back to at least August 2012, would have allowed attackers to take complete control of Juniper NetScreen firewalls running the affected software.
Attackers with resources and skills could separately decrypt encrypted traffic running through the Virtual Private Network, or VPN, on the firewalls.
Bob Worrall, the companies’ CIO wrote in a post that the code was found during a recent internal code review.
Patched releases for the latest versions of ScreenOS have since been issued. He pointed out that while the spooks who put the backdoors in place might have patted themselves on the back, they could have been found and exploited by anyone friend or foe.
The backdoors placed a hardcoded master password left behind in Juniper’s software by the attackers. All the attackers had to do was figure out the password by examining Juniper’s code.
'This is a very good showcase for why backdoors are really something governments should not have in these types of devices because at some point it will backfire," he said.
The weakness in the VPN itself that enables passive decryption is only of benefit to a national surveillance agency like the British, the US, the Chinese, or the Israelis. This is because you need to have wiretaps on the internet for that to be a valuable change to make in the software.”
Juniper released patches for the software yesterday and advised customers to install them immediately, noting that firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are vulnerable. Release notes for 6.2.0r15 show that version being released in September 2012, while release notes for 6.3.0r12 show that the latter version was issued in August 2012.
Still Juniper is not the only router maker who faced this sort of problem. Its rival Cisco found a similar issue earlier this year.