Juniper Networks backdoor confirmed, password revealed, NSA suspected

Juniper Networks makes a popular line of enterprise firewalls whose operating system is called Screen OS. The company raised alarm bells with a late-day-on-a-Friday advisory announcing that they'd discovered "unauthorized code" in some versions of Screen OS, a strange occurrence that hinted at a security agency or criminal enterprise had managed to tamper with the product before it shipped.

Rapid7's Hdmoore reports that he and his team have confirmed that "unauthorized code" is a backdoor whose secret password enables the wielder to telnet or ssh into Juniper's appliances. The password is <<< %s(un='%s') = %u, "presumably chosen so that it would be mistaken for one of the many other debug format strings in the code." Rapid7 was able to easily locate 26,000 Juniper devices that are vulnerable to this attack.

The next mystery to solve is where this unauthorized code comes from. Security advisories usually relate to vulnerabilities arising from defects -- mistakes programmers made. In this case, someone deliberately inserted a backdoor password into Juniper's devices. That's a huge deal. If it's the NSA (which looks possible, given one leak about a program called "FEEDTROUGH" that installs persistent backdoors in Juniper devices) then it will mean that the US government deliberately sabotaged tens, if not hundreds, of thousands of networks that were protected by products from a US company that is the second-largest provider of networking equipment in the world, after Cisco.

The interesting thing about this backdoor is not the simplicity, but the timing. Juniper's advisory claimed that versions 6.2.0r15 to 6.2.0r18 and 6.3.0r12 to 6.3.0r20 were affected, but the authentication backdoor is not actually present in older versions of ScreenOS. We were unable to identify this backdoor in versions 6.2.0r15, 6.2.0r16, 6.2.0r18 and it is probably safe to say that the entire 6.2.0 series was not affected by this issue (although the VPN issue was present). We were also unable to identify the authentication backdoor in versions 6.3.0r12 or 6.3.0r14. We could confirm that versions 6.3.0r17 and 6.3.0r19 were affected, but were not able to track down 6.3.0r15 or 6.3.0r16. This is interesting because although the first affected version was released in 2012, the authentication backdoor did not seem to get added until a release in late 2013 (either 6.3.0r15, 6.3.0r16, or 6.3.0r17).

CVE-2015-7755: Juniper ScreenOS Authentication Backdoor [Hdmoore/Rapid7]

Secret Code Found in Juniper’s Firewalls Shows Risk of Government Backdoors [Kim Zetter/Wired]

Notable Replies

  1. Given the moral rectitude and intellectual prowess of our legislators, I imagine this problem will get worse before it gets better. The amount of data about each of us grows every day, and powerful people are working hard to weaken the security of that data.

    Frankly, I don't see any endgame for this trend. Is the only solution learning to love Big Brother?

  2. Shuck says:

    Wow, if we needed an example of what a government-mandated backdoor would do in practice, we've got the absolutely perfect one. Talk about a cautionary tale. That it has impacted the US government itself is just too good. Sadly, I suspect it will go right by the people who most need to have this smack them in the face.

  3. Oh you, and your dreams of reliable deterministic software :D. You think protein folding is hard, try and model all the execution paths of seven lines of JavaScript written by a nine year old.

    I swear JIT compiler writers all just want to shave years off their life, with what must be insane amounts of alcohol and cigarettes.

  4. So the password was <<< %s(un='%s') = %u. That's funny because it sounds a lot like Sun Tzu, the Chinese guy who wrote The Art of War.

Continue the discussion

38 more replies