Juniper firewalls compromised by spy code: What you need to know

Answers to key questions about this critical risk

Juniper Networks is warning customers to patch their NetScreen enterprise firewalls against spyware that enables attackers to take over the machines and decrypt VPN traffic among corporate sites and with mobile employees.

The danger is that attackers could exploit the code “to gain administrative access to NetScreen devices and to decrypt VPN connections,” Juniper says in a security announcement.

It would enable smart attackers to exploit the vulnerability and wipe out log files, making compromises untraceable, the company says.

Here are questions and answers about what affected customers should do.

What devices are affected? Any product or platform running ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20. These include NetScreen-5200 and NetScreen-5400 enterprise firewalls.

What should customers do? Juniper says: “We strongly recommend that all customers update their systems and apply these patched releases with the highest priority.”

Where are these patches? Juniper has them available for download here.

Is there a workaround? No.

Has the spyware been used in the wild to crack affected machines? Juniper says: “At this time [Dec. 17], we have not received any reports of these vulnerabilities being exploited.”

How many machines are affected? Juniper hasn’t said.

How was this discovered? Juniper says it was found during “a recent internal code review.” It doesn’t say when that was or why it was undertaken.

How does Juniper characterize the problem? “Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections.”

What are the specifics of the vulnerabilities? There are two issues: The first, Juniper says, “allows unauthorized remote administrative access to the device over SSH or telnet. Exploitation of this vulnerability can lead to complete compromise of the affected system. “Upon exploitation of this vulnerability, the log file would contain an entry that ‘system’ had logged on followed by password authentication for a username.

“Note that a skilled attacker would likely remove these entries from the log file, thus effectively eliminating any reliable signature that the device had been compromised.”

What about the second issue? Juniper says:The second issue may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic. It is independent of the first issue. “There is no way to detect that this vulnerability was exploited.”

How did this bad code get into ScreenOS: Juniper hasn’t said. Some point to documents stolen by Edward Snowden that say the NSA had hardware and software that targeted NetScreen devices and could persist through reboots and upgrades.

How long has this malicious code been there? Juniper hasn’t said, but some of the code being patched is as old as September 2012.

What functions do these devices perform? Juniper describes them as integrated firewalls and VPNs with DoS and DDoS protection and traffic management.

Is other Juniper gear affected? Juniper says there’s no evidence it is. The company makes products with a separate operating system called Junos, but says, “We have no evidence that the SRX or other devices running Junos are impacted at this time.” ScreenOS is the operating system running on NetScreen devices that were developed by the company NetScreen, which Juniper bought for $4 billion in stock in 2004.

Join the CSO newsletter!

Error: Please check your email address.

More about JuniperNetScreenNSASSH

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts