Juniper Networks backdoor confirmed, password revealed, NSA suspected

Juniper Networks makes a popular line of enterprise firewalls whose operating system is called Screen OS. The company raised alarm bells with a late-day-on-a-Friday advisory announcing that they'd discovered "unauthorized code" in some versions of Screen OS, a strange occurrence that hinted at a security agency or criminal enterprise had managed to tamper with the product before it shipped.

Rapid7's Hdmoore reports that he and his team have confirmed that "unauthorized code" is a backdoor whose secret password enables the wielder to telnet or ssh into Juniper's appliances. The password is <<< %s(un='%s') = %u, "presumably chosen so that it would be mistaken for one of the many other debug format strings in the code." Rapid7 was able to easily locate 26,000 Juniper devices that are vulnerable to this attack.

The next mystery to solve is where this unauthorized code comes from. Security advisories usually relate to vulnerabilities arising from defects -- mistakes programmers made. In this case, someone deliberately inserted a backdoor password into Juniper's devices. That's a huge deal. If it's the NSA (which looks possible, given one leak about a program called "FEEDTROUGH" that installs persistent backdoors in Juniper devices) then it will mean that the US government deliberately sabotaged tens, if not hundreds, of thousands of networks that were protected by products from a US company that is the second-largest provider of networking equipment in the world, after Cisco.

The interesting thing about this backdoor is not the simplicity, but the timing. Juniper's advisory claimed that versions 6.2.0r15 to 6.2.0r18 and 6.3.0r12 to 6.3.0r20 were affected, but the authentication backdoor is not actually present in older versions of ScreenOS. We were unable to identify this backdoor in versions 6.2.0r15, 6.2.0r16, 6.2.0r18 and it is probably safe to say that the entire 6.2.0 series was not affected by this issue (although the VPN issue was present). We were also unable to identify the authentication backdoor in versions 6.3.0r12 or 6.3.0r14. We could confirm that versions 6.3.0r17 and 6.3.0r19 were affected, but were not able to track down 6.3.0r15 or 6.3.0r16. This is interesting because although the first affected version was released in 2012, the authentication backdoor did not seem to get added until a release in late 2013 (either 6.3.0r15, 6.3.0r16, or 6.3.0r17).

CVE-2015-7755: Juniper ScreenOS Authentication Backdoor [Hdmoore/Rapid7]

Secret Code Found in Juniper’s Firewalls Shows Risk of Government Backdoors [Kim Zetter/Wired]

Start the discussion at