Critical patches issued after spying backdoors found built into Juniper firewalls

For Juniper customers that may be impacted by the ScreenOS issue, Tod Beardsley, security research manager at Rapid7, recommends that, in addition to updating the firmware immediately, organizations also change passwords and investigate their own networks for potential compromises.

Juniper Networks – a network device and software maker – has found “unauthorised code” in its NetScreen firewall devices.

Considering the NSA’s active spy programs, it’s easy to connect the dots between this attack and the spy agency’s FEEDTROUGH program, which “burrows into Juniper firewalls and makes it possible to smuggle other NSA programs” into a network.

Going by the details shared by Juniper’s chief information officer Bob Worrall, the company found the “spying” code during a recent internal review.

After identifying these vulnerabilities, the firm launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS.

ScreenOS versions 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are vulnerable, according to an advisory. Juniper warns that this could lead to a “complete compromise of the affected system”. One section gives attackers remote administrative access to a device and would let them hide any evidence of tampering. Juniper said in the security announcement that a “knowledgeable” hacker could use the vulnerability to decrypt NetScreen VPN connections, although it said it has “not received any reports of these vulnerabilities being exploited”. Unlike the Netscreen devices, the SRX firewalls are powered by Juniper’s Junos operating system. ScreenOS 6.2.0r15 was first made available in September 2012, meaning that potentially an enterprise might have been exposed to the risk for three years.

The claims echoed those from December 2013, when a report said that the NSA had been planting backdoors in new computing and networking hardware from major US vendors including Cisco Systems, Juniper and Dell for years.

Juniper today denied having anything to do with the vulnerabilities, adding that it has not collaborated with any government agency to install backdoors in its systems.