Saturday, 19 December 2015

Juniper Firewalls with ScreenOS Backdoored Since 2012

hacking-juniper-firewall-security

Juniper Networks has announced that it has discovered "unauthorized code" in ScreenOS, the operating system for its NetScreen firewalls, that could allow an attacker to decrypt traffic sent through Virtual Private Networks (VPNs).

It's not clear what caused the code to get there or how long it has been there, but the release notes posted by Juniper suggest the earliest buggy versions of the software date back to at least 2012 and possibly earlier.


The backdoor impacts NetScreen firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20, states the advisory published by the company. However, there's no evidence right now that whether the backdoor was present in other Juniper OSes or devices.

The issue was uncovered during an internal code review of the software, according to Juniper chief information officer Bob Worrall, and requires immediate patching by upgrading to a new version of the software just released today.
"Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections," Worrall said.

How Does the Backdoor Occur? 


The backdoor occurred due to a pair of critical vulnerabilities:
  • First allows anyone to decrypt VPN traffic and leave no trace of their actions
  • Second allows anyone to complete compromise a device via an unauthorized remote access vulnerability over SSH or telnet.
In short, an attacker could remotely log-in to the firewall with administrator privileges, decrypt and spy on thought-to-be-secure traffic, and then even remove every trace of their activity.

Sounds awful, although Juniper claims the company has not heard of any exploitation in the wild so far and released patched versions of Screen OS that are available now on its download page.