Backdoor Code Found in Firewall
Engadget: One of the reasons corporate users and the privacy-minded rely on VPNs is to control access to their networks and (hopefully) not expose secrets over insecure connections. Today Juniper Networks revealed that some of its products may not have been living up to that standard, after discovering “unauthorized code” in the software that runs on its NetScreen firewalls during a code review. Pointed out by security researcher “The Grugq,” the backdoor has been present since late 2012 and can only be fixed by upgrading to a new version of software just released today.
Telnet / ssh exposes a backdoor added by attackers to ScreenOS source code. This has been there since August 2012. Noted code here.
The pair of issues that created the backdoor would allow anyone who knows about it to remotely log in to the firewall as an administrator, decrypt and spy on supposedly secure traffic, and then remove any trace of their activity. Obviously this is a Very Bad Thing, although Juniper claims it has not heard of any exploitation in the wild (which would be difficult, since no one knew it existed and attackers could hide their traces) so far.
Beyond sending IT people sprinting to patch and test their setups, now we can all speculate about which friendly group of state-sponsored attackers is responsible. US government officials have recently been pushing for mandated backdoor access to secure networks and services, but the Edward Snowden saga made clear that even our own country’s personnel aren’t always going to ask permission before snooping on any information they want to check out. I contacted Juniper Networks regarding the issue, but have not received a response at this time.
Update: A Juniper Networks spokesperson told us:
During a recent internal code review, Juniper discovered unauthorized code in ScreenOS® that could allow a knowledgeable attacker to gain administrative access and if they could monitor VPN traffic to decrypt that traffic. Once we identified these vulnerabilities, we launched an investigation and worked to develop and issue patched releases for the impacted devices. We also reached out to affected customers, strongly recommending that they update their systems and apply the patched releases with the highest priority.
The patched releases also address an SSH bug in ScreenOS that could allow an attacker to conduct DoS attacks against ScreenOS devices. These two issues are independent of each other.
Newly discovered hack has U.S. fearing foreign infiltration
Washington (CNN) A major breach at computer network company Juniper Networks has U.S. officials worried that hackers working for a foreign government were able to spy on the encrypted communications of the U.S. government and private companies for the past three years.
The FBI is investigating the breach, which involved hackers installing a back door on computer equipment, U.S. officials told CNN. Juniper disclosed the issue Thursday along with an emergency security patch that it urged customers to use to update their systems “with the highest priority.”
The concern, U.S. officials said, is that sophisticated hackers who compromised the equipment could use their access to get into any company or government agency that used it.
One U.S. official described it as akin to “stealing a master key to get into any government building.”
The breach is believed to be the work of a foreign government, U.S. officials said, because of the sophistication involved. The U.S. officials said they are certain U.S. spy agencies themselves aren’t behind the back door. China and Russia are among the top suspected governments, though officials cautioned the investigation hasn’t reached conclusions.
It’s not yet clear what if any classified information could be affected, but U.S. officials said the Juniper Networks equipment is so widely used that it may take some time to determine what damage was done.
A senior administration official told CNN, “We are aware of the vulnerabilities recently announced by Juniper. The Department of Homeland Security has been and remains in close touch with the company. The administration remains committed to enhancing our national cybersecurity by raising our cyber defenses, disrupting adversary activity, and effectively responding to incidents when they occur.”
Juniper Networks’ security fix is intended to seal a back door that hackers created in order to remotely log into commonly used VPN networks to spy on communications that were supposed to be among the most secure. A free trial vpn has been helpful for those new to the VPN world to decide if it is right for them.
Juniper said that someone managed to get into its systems and write “unauthorized code” that “could allow a knowledgeable attacker to gain administrative access.”
Such access would allow the hacker to monitor encrypted traffic on the computer network and decrypt communications.
Juniper sells computer network equipment and routers to big companies and to U.S. government clients such as the Defense Department, Justice Department, FBI and Treasury Department. On its website, the company boasts of providing networks that “US intelligence agencies require.”
Its routers and network equipment are widely used by corporations, including for secure communications. Homeland Security officials are now trying to determine how many such systems are in use for U.S. government networks.