Uncategorized

Holy Cow! Alert For Juniper Netscreen Firewall Users

December 18, 2015 mitch tanenbaum Leave a comment

UPDATE: According to the Wired article below, the remote access issue was caused by a hard coded master password. Of course, now that people know there is one, they can look at the code and find it, which means that if you have not patched your Juniper firewalls, you are at a high risk for being owned.

The article also says that the VPN issue may allow an attacker to decrypt any traffic that they have captured in the past. So if the Chinese, for example (or US or Russian or …) had captured traffic hoping that they might be able to decrypt it some time in the future, now is that time.

This is one of those STOP THE PRESSES! kind of alerts. Juniper announced yesterday that there are two separate compromises to Juniper Netscreen firewalls that would allow an attacker to gain administrative access to company firewalls and also to decrypt VPN traffic. Together, this would allow an attacker to completely own your network.

If you are running a Juniper firewall running ScreenOS 6.2.r15 through 18 or 6.3.r12 through r20, you need to patch your firewalls immediately.

Juniper has been amazingly open about this, unlike some vendors. I suspect that they figured that this exploit is so bad that customers may run away from their products, so the lesser of the evil is to be honest about it. In reality, my guess is that they are no better or no worse than any other vendor. Some vendors, under the same situation, might have just said “hey, we fixed some bugs, you should patch your firewall”. The patches are available on Juniper’s web site (see link in Network World article).

A couple of notes that Juniper made:

There is no workaround other than applying the patches
They discovered this via an internal code review. This MAY be good as hackers may not have found the problem. HOWEVER, that being said, every attacker in the world knows about it now and since it is an OWN THE COMPANY bug, you need to patch this ASAP. I was at a meeting yesterday where an FBI Special Agent was speaking about security and he interrupted his presentation to tell us about it. It is that kind of high priority.
Juniper said that the bug is a result of unauthorized code in ScreenOS. While they did not explain what this unauthorized code is, to me, that indicates their development environment was compromised, If this is true, there entire code base is suspect at this time. Hopefully they are scurrying around looking at all code in all products for backdoors. Juniper says they don’t think that Junos devices (their other operating system) are affected.
The first bug allows someone to get unauthorized remote administrative access. From there, you own the device, can wipe the logs, change the configuration or do anything else you might want to do.
The second bug – which is separate from the first – would allow an attacker who could monitor your VPN traffic to decrypt it. Also, not good. There would be no indication that an attacker was decrypting your traffic.
Juniper has not said how long these devices have been infected, but some of the code being patched dates back to 2012.
While Juniper has not said how this “unauthorized code” got into the devices, one candidate, based on Snowden documents, is the NSA. They apparently have an interest in listening to organizations using Juniper hardware.

Whether this is the result of an NSA covert op, some other intelligence agencies handiwork, or some random hacker, it points to the fact that companies need to proactively monitor changes to their software to make sure that unauthorized changes are not being made. For all organizations, this should be a wake up call for internal security.

This is a very interesting development.

Information for this post came from Network World.

Another article with more details can be found in Wired.