Who Backdoored Juniper's Code?Flaws Allow Silent Authentication Bypass, VPN Decryption
The U.S. government is reportedly investigating newly discovered "unauthorized code" in the firmware that runs the NetScreen firewalls built by Sunnyvale, Calif.-based technology giant Juniper Networks. The code, which was somehow added to the firmware in 2012, would allow an attacker to remotely gain access to any vulnerable device as well as decrypt VPN traffic flowing across the device, potentially without leaving any trace.
Security experts say the severity of these two flaws cannot be understated, and have urged all users to immediately install related patches from Juniper Networks. The company's networking equipment is reportedly used by everyone from the Department of Defense and Department of Justice, to the FBI and Treasury Department, not to mention numerous businesses. Juniper's website also claims on its website that it provides technology that "U.S. intelligence agencies require."
U.S. Department of Homeland Security spokesman S.Y. Lee tells Information Security Media Group that the agency "is aware of the report regarding Juniper's software" and investigating. "As we routinely do when such vulnerabilities are brought to light, we are assessing the potential impact, if any, on federal networks, and will take any appropriate mitigation measures in close coordination with interagency partners," he says. "Additionally, the ... U.S. Emergency Computer Response Team - US-CERT - is recommending all users and administrators review the information released by Juniper and update their software."
A DHS official - speaking on background - tells ISMG that US-CERT has already distributed patch-related information to all federal agencies and is ready to offer any further, related assistance they might require. The FBI is also probing the matter, Reuters reports, although DHS and the FBI declined to comment on that report.
Juniper says that it has received no reports that the flaws have been exploited in the wild. But the company also concedes that related attacks may have left no trace, since hackers with administrative access could have deleted related logs. As a result, the full extent of the potential damage stemming from the code hack cannot yet be quantified. The networking company also has yet to detail how hackers were able to infiltrate its code repositories and update the firmware source code.
DHS didn't immediately respond to a related request for comment; the FBI declined to comment. But White House officials - speaking off the record - have reportedly suggested that a nation state is the most likely suspect behind this hack, and many security experts seem to concur. "The weakness in the VPN itself that enables passive decryption is only of benefit to a national surveillance agency like the British, the U.S., the Chinese, or the Israelis," Nicholas Weaver, a researcher at the International Computer Science Institute and the University of California at Berkeley, tells Wired. "You need to have wiretaps on the Internet for that to be a valuable change to make [in the software]."
The Danger Posed by Backdoors
An unnamed White House official has likened the code implantation to "stealing a master key to get into any government building," CNN reports.
The use of such language has not gone unnoticed by security experts such as Johannes Ullrich, dean of research for the SANS Institute, who is one of a number of experts who have warned that government calls to weaken encryption - by building a backdoor for "good guy" access - also creates the possibility that "bad guys" might also gain access (see Obama Stokes Crypto Debate). Furthermore, whenever details of secret backdoors get publicly released - as they so often do - they put all users at risk.
Not sure why everybody is complaining about / patching the #juniper backdoor. Aren't encryption backdoors meant to save lives??ï¿½ johullrich (@johullrich) December 19, 2015
In this case, a backdoor that was secretly inserted into Juniper's firmware may have been giving a bad actor persistent access to numerous government and corporate networks. Since the password for the vulnerability has now been published, furthermore, any other nation state, cybercrime group or gang with a political ax to grind might also have been attempting to exploit the flaw.
Internal Code Review Finds Hacked Code
News of the flaw first came to light on Dec. 17, when Juniper Networks CIO Bob Worrall warned that "during a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections," without leaving a trace. "We strongly recommend that customers update their systems and apply the patched releases with the highest priority."
HD Moore, chief research officer of security firm Rapid7, says in a Dec. 20 blog post that Juniper's related security advisory details two related flaws: "a backdoor in the VPN implementation that allows a passive eavesdropper to decrypt traffic and a second backdoor that allows an attacker to bypass authentication in the SSH and Telnet daemons." He says that the VPN vulnerability dates from 2012, although the authentication flaw seems to have been added to Juniper's code in "late 2013."
Just hours after Juniper's alert was first published, Ronald Prins, CTO of cybersecurity firm Fox-IT, warned that his company had successfully identified the password for that second backdoor, after analyzing the patched and unpatched versions of the source code. Of course, attackers could also have done the same, and begun exploiting the flaw.
Hmmm. It took @foxit 6 hours to find the password for the ssh/telnet backdoor in the vulnerable Juniper firewalss. Patch nowï¿½ Ronald Prins (@cryptoron) December 18, 2015
On Dec. 20, Moore published the backdoor password - <<< %s(un='%s') = %u - which can be used to bypass either SSH or telnet authentication, provided attackers also have a valid username. He adds that the password, in a clever bit of obfuscation, was "presumably chosen so that it would be mistaken for one of the many other debug format strings in the code" by Juniper's own software developers.
A simple search on Shodan - which can identify specific types of Internet-connected devices and configurations - found 28,000 vulnerable devices with SSH enabled, including 10,000 in the United States. All of those devices are at risk from the flaw.
Moore says that the open source penetration testing toolkit Metasploit will also soon be updated with related exploit code. And he warns that for any organization that has unpatched Juniper devices, detecting related attacks "is non-trivial," especially since attackers could delete related logs, which might otherwise be mined for signs of related attacks. He recommends that organizations employ a centralized logging server - or a security incident and response management tool - since that would help prevent related logs from being deleted. Fox-IT has also released a set of rules for Snort, the open source intrusion prevention system, that can detect and help block any attempts to abuse the backdoor password.
Two Separate Vulnerabilities
In its security advisory, Juniper reports finding unauthorized code changes that it's now classified as being two separate vulnerabilities:
- Administrative Access: Designated as CVE-2015-7755, this would allow a hacker to gain remote administrative access to a device, leading to a "complete compromise of the affected device," Juniper says. It notes that this flaw, if not patched outright, can be partially mitigated by restricting administrative access to "only trusted management networks and hosts."
- VPN Decryption: Designated as CVE-2015-7756, this "may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic," and is independent of the prior flaw. There is no way to mitigate this flaw, except to install the patch, it adds.
Juniper has released new 6.2.0 and 6.3.0 firmware to fix the flaws for NS, NS-5200/5400 and SSG Series devices. It has also rebuilt and released older firmware versions to eliminate the flaw.
On Dec. 20, Juniper updated its security announcement to note that the administrative access flaw affects "ScreenOS 6.3.0r17 through 6.3.0r20," while the VPN decryption flaw "affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20." The company claims that "no other Juniper products or versions of ScreenOS are affected by this issue."
But South African cybersecurity expert Haroon Meer says that where there have been at least two code-insertion hack attacks, there may have been others that have yet to be detected.
Juniper were owned enough to have backdoors silently slipped into NetScreens. What are the chances that the attackers _only_ hit ScreenOS?ï¿½ haroon meer (@haroonmeer) December 20, 2015
Juniper did not immediately respond to a request for comment about whether it has vetted the code for all of its other products to identify other potential backdoors that were added by outsiders.