Bad actors race to exploit Juniper firewall vulnerability

Efforts afoot to reverse engineer the flaw and create commodity exploits

Now that Juniper has created a patch for its vulnerable firewall/VPN appliances, bad actors are setting to work reverse engineering the flaw so they can exploit devices that users don’t patch, and also make a profit by selling their exploits to others.

“That’s what they do,” says John Pironti, president of IP Architects, who says he spent Friday responding to concerns about the compromised Juniper firewalls with his clients.

The pattern cyber criminals follow after vendors patch vulnerabilities is to compare the patched code to the unpatched code, figure out what the flawed code was and figure out how to use it to break into the device and the network it protects, Pironti says.

In this case Juniper says the flaw can be exploited to completely compromise a NetScreen firewall/VPN appliance via unauthorized remote administrator access via telnet or SSH, wipe out logs that would reveal the attack, and decrypt VPN traffic.

Once the reverse engineers do that, they’ll start trying out the exploit on whatever NetScreen devices they can locate in real-world networks hoping to find ones that aren’t patched, Pironti says. After that the exploits will go up for sale in underground markets and wend their way into open source penetration-testing platforms such as metasploit.

Inevitably some users fail to apply critical patches for years and years after they have been issued, he says. “It will be used for years,” he says. “This will not go away overnight.”

Since attackers can erase any trace they exploited a NetScreen appliance, IT security teams should start checking logs in the devices in line behind the firewall/VPNs. They should look for consistent and persistent traffic originating from unfamiliar and atypical IP address ranges that could represent the attackers moving inside the network once they’ve cracked the appliance, Pironti says. “See if they tried to get elsewhere,” he says.

Meanwhile, as of Friday, Juniper had yet to answer some key questions about the bad code.

In response to emails seeking more information, Juniper reiterated part of its initial announcement about the patches and provided a link to its formal advisory, but that’s it.

Some of the questions left unanswered:

  • How long has the bad code been in ScreenOS?
  • How did it get there?
  • How many units did it affect?
  • Does the problem affect every VPN tunnel or just certain tunnel types and encryption types?
  • Does Juniper recommend that customers do any sort of security audit to figure out if they have been compromised through use of this vulnerability?
  • Is there any way to find out if the vulnerability has been exploited in a particular device?

“I think that Juniper does owe us more information,” says Joel Snyder, senior partner in Opus One, a technology consultancy that has tested network firewalls for Network World. “In any case, I think that Juniper should be forthcoming with more information to let us know if they think that this was put in accidentally, on purpose, and by whom.”

It’s possible the bug was put there by a nation-state, he says, but “I would guess that it is just as likely that this is a human error and someone put something in ignorantly or for debugging that they forgot to take out.”

“People have been quick to say that this is linked to the NSA/InfoSec community in the [U.S. government], but I seriously doubt that.  ...  This was something IN the code, and it was introduced in the last few years after the product was REALLY mature.”

But the wording of the Juniper announcement – it pins the problem on “unauthorized code” – makes Pironti think it was an implant, software placed in the operating system intentionally to facilitate attacks. “Unauthorized code, to me, means an implant. It’s not like someone fat-fingered an entry.”

Join the CSO newsletter!

Error: Please check your email address.

More about JuniperNetScreenNSAOpus OneSSH

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place