Juniper Networks revealed via officials from the company, that one of its operating systems used to manage firewalls contains unauthorized code, that surreptitiously decrypts traffic sent through virtual private networks.
Bob Worrall, chief information officer at Juniper, explained that the company had uncovered the issue in the ScreenOS software and was working to fix it, as outlined in a statement posted on Thursday. “Juniper discovered unauthorised code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections,” he said.
At the same time, a Juniper Networks spokesperson told Engadget:
“During a recent internal code review, Juniper discovered unauthorized code in ScreenOS® that could allow a knowledgeable attacker to gain administrative access and if they could monitor VPN traffic to decrypt that traffic. Once we identified these vulnerabilities, we launched an investigation and worked to develop and issue patched releases for the impacted devices. We also reached out to affected customers, strongly recommending that they update their systems and apply the patched releases with the highest priority.
The patched releases also address an SSH bug in ScreenOS that could allow an attacker to conduct DoS attacks against ScreenOS devices. These two issues are independent of each other.
More information on these issues and the fix can be found in our JSAs available here: advisory.juniper.net ”
The problem was brought to Juniper’s attention by security researcher “The Grugq”, who says in one of its most recent tweets: “Woah! Juniper discovers a backdoor to decrypt VPN traffic (and remote admin) has been inserted into their OS source forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554 …”
The so-called backdoor code issue would allow to anyone who was aware to entering the firewall as an administrator decrypt, or modify data on secure traffic and then make any trace of their activity disappear.
Juniper mentions that no suspicious moves have been caught so far, which is kind of ironic, considering that, as mentioned above, no traces would be left behind in such case.
Responsibility shifts from group to group. However, according to ArsTechnica, the fact that the VPN-breaking code was the result of unauthorized code “touched off immediate concern that ScreenOS had been deliberately tampered with. The most likely culprit for such tampering would be the NSA or one of its many counterparts around the world.”