Who planted the backdoors in Juniper’s firewalls?

Who put the recently discovered “unauthorized code” in ScreenOS, which effectively opened a backdoor in Juniper’s NetScreen firewall devices and allowed attackers to decrypt VPN connections?

Speculations abound, and all currently point to a state-sponsored intruder.

Was it China? NetScreen Technologies, the company that created the aforementioned appliances and that was acquired by Juniper Networks in 2004, was founded by Chinese nationals.

As Simon Sharwood pointed out, “it’s not hard to find evidence of ongoing work on ScreenOS in Beijing: a quick trawl of LinkedIn turns up several Juniper employees who work on the operating system.” Nevertheless, this proves nothing.

The US FBI has started an investigation into the matter, as Juniper Networks is a provide of network equipment for many US-based corporations, but also many US federal agencies (including the FBI).

On the other hand, you may remember that two years ago, documents provided by Edward Snowden showed that the NSA had the ability to backdoor Juniper’s network equipment (as Cisco’s, and Huawei’s, and so on).

There is also speculation that the two backdoors might not be the work of the same state-actor, as they are not connected.

In the meantime, it took some six hours for Dutch security firm Fox-IT to discover the password for the SSH/telnet backdoor in the vulnerable Juniper firewalls.

“Once you know there is a backdoor there, … the patch [Juniper released] gives away where to look for [the backdoor] … which you can use to log into every [Juniper] device using the Screen OS software,” Ronald Prins, founder and CTO of Fox-IT, told Wired. “We are now capable of logging into all vulnerable firewalls in the same way as the actors [who installed the backdoor].”

If they can do it, it means that many other knowledgable hackers will be able to do it, too. And, as Rapid7’s HD Moore pointed out, there are approximately 26,000 internet-facing Netscreen devices with SSH open on the Internet at the moment.

In a blog post, he revealed the password, and also detailed some of their research that revealed that the authentication backdoor might date back to late 2013, and the encryption backdoor to 2012. Also, that not all of the versions of ScreenOS Juniper first pointed out as vulnerable actually are.

Juniper confirmed as much on Sunday. “Since our initial announcement we’ve learned that the number of versions of ScreenO affected by each of the issues is more limited than originally believed. Administrative Access (CVE-2015-7755) only affects ScreenOS 6.3.0r17 through 6.3.0r20. VPN Decryption (CVE-2015-7756) only affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20,” they shared, and reiterated the recommandation for admins to apply the patches as soon as possible.

Fox-IT has created a set of Snort rules that can detect access with the backdoor password, and its CTO has voiced his concerns that this discovery is just the beginning, and that other vendors might find similar things in their devices’ software.

Don't miss