Juniper Warns of Mystery Backdoor In NetScreen Products


In-brief: the discovery of a mystery “back door” in software that runs Juniper’s NetScreen line of security products prompted an emergency warning and patch from the company, and raises the specter of nation-backed hacking.

File this one away under “suspicious.” Networking device maker Juniper has issued a warning about mysterious code it uncovered in versions of  the software that runs its NetScreen line of security appliances.

Versions of Juniper’s ScreenOS  operating system could give a remote attacker unauthorized remote access to a Juniper device via SSH or Telnet. The discovery raises concerning questions about the source of the compromise, including whether Juniper was the victim of a nation-backed hacker looking for access to its customers’ networks.

The discovery prompted an emergency patch for Juniper products running ScreenOS versions ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20. Affected versions of the software date back as far as August and September of 2012.

In a blog post by Bob Worrall, Juniper’s Chief Information Officer, the company said that the back door, which was described as “unauthorized code” was found during “a recent internal code review.” A knowledgeable attacker could use the code to gain administrative access to NetScreen devices. If the attacker had access to VPN traffic, it could use the back door to decrypt those VPN connections.

The company said it has launched an investigation into the issue, but did not offer any account of the provenance of the code, nor an explanation of how the code was bundled with ScreenOS.

NetScreen devices running versions of Juniper's ScreenOS software were found to contain an unauthorized back door. (Image courtesy of Juniper.)
NetScreen devices running versions of Juniper’s ScreenOS software were found to contain an unauthorized back door. (Image courtesy of Juniper.)

Juniper has not received any reports of the back door being exploited, but it also suggested that evidence of compromise would be difficult to come by without advance knowledge of the back door. The company “strongly recommended” that customers apply the ScreenOS patches it released.

In a knowledge base article, the company said the first issue identified allows unauthorized remote administrative access to a device running ScreenOS over SSH or telnet. Exploitation of this vulnerability can lead to complete compromise of the affected system. Upon exploitation of this vulnerability, the log file would contain an entry that ‘system’ had logged on followed by password authentication for a username. However, Juniper noted that skilled attackers would take care to remove such evidence, removing “any reliable signature that the device had been compromised.”

The second issue would allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic. Juniper customers would have “no way to detect that this vulnerability was exploited,” Juniper said.

ScreenOS is a proprietary operating system that runs a wide range of Juniper products under the “NetScreen” label. (Juniper acquired NetScreen in 2004.) They include NetScreen Integrated Security Gateways (ISG), NetScreen Secure Services Gateways (SSG) and NetScreen 5000-series devices.

The discovery of a long-duration back door in software used to run security products by large corporations raises the specter of a nation-state actor. One of the revelations of U.S. Government spying by former NSA contractor Edward Snowden was a program, X-Keyscore, in which networking equipment from Juniper’s competitor, Cisco Systems, was intercepted and implanted with monitoring software before being shipped along to its final destination.

Compromising the company’s operating system software would be an even more efficient means to the same end, allowing sophisticated adversaries to ship compromised devices direct from the factory that could then covertly monitor traffic to and from a target network. This, without having to organize a sophisticated interdiction operation.

Spread the word!