NetScreen Back Door Raises Internet Threat Level

The Internet Storm Center raised its threat level rating following Juniper
The Internet Storm Center raised its threat level rating following Juniper’s disclosure of a back door affecting its NetScreen security devices.

In-brief: A widespread vulnerability in security products sold by the firm Juniper Networks prompted The Internet Storm Center to raise its threat level to “Yellow,” and urge administrators to patch affected devices immediately.

A widespread vulnerability in security products sold by the firm Juniper Networks has prompted a group that monitors  the Internet for signs of instability to raise its threat level to “Yellow,” indicating the emergence of a “significant new threat.” 

The SANS Internet Storm Center said it decided to raise the so-called “Infocon” from Green to Yellow after assessing the risk posed by a reported back door in Juniper’s ScreenOS software, which is run by a wide range of security products sold under the NetScreen label.

The move follows an advisory issued by Juniper on December 18 that revealed an audit of its ScreenOS operating system had turned up mysterious code in versions of the software dating back to 2012. NetScreen devices running vulnerable versions of ScreenOS could give a remote attacker unauthorized remote access to a Juniper device via SSH or Telnet, Juniper admitted.

The discovery prompted an emergency patch for Juniper products running ScreenOS versions ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20. Affected versions of the software date back as far as August and September of 2012.

It also raised concerning questions about the source of the compromise, including whether Juniper was the victim of a nation-backed hacker looking for access to its customers’ networks.

In a blog post on Sunday, HD Moore of the firm Rapid7 detailed his company’s analysis of ScreenOS and revealed the password used to unlock the backdoor and gain access to affected NetScreen devices. Tens of thousands of such devices are accessible from the public Internet and are listening for SSH communications, making them vulnerable to attack, he said.

Noting the publication of the backdoor password, the Internet Storm Center concluded that exploitation of the back door  “is trivial at this point.” And, with IT staff ready to recess for the holiday at many firms, the ISC urged organizations affected by the security hole to address it today.

Spread the word!

Comments are closed.