Juniper Networks Shortens ScreenOS Threat List
Dec 21, 2015 1:14 PM PT
Juniper Networks on Sunday informed customers that recent security threats to its ScreenOS were not as widespread as initially believed.
The company last week issued an alert following its discovery in ScreenOS of unauthorized code that could allow an attacker to gain administrative control of devices using Netscreen (Administrative Access) or to decrypt a virtual private network (VPN Decryption).
The two issues are unrelated to each other, according to the company.
Juniper originally advised all customers that the Administrative Access code affected ScreenOS 6.30r12 through 6.30r20, and that the VPN Decryption code affected ScreenOS 6.20r15 through 6.20r18, and it advised users to patch their systems.
"Once we identified these vulnerabilities, we launched an investigation into the matter and worked to develop and issue patched releases for the latest versions of ScreenOS," noted Bob Worrall, senior vice president and chief information officer.
That investigation led Juniper to narrow the list of affected versions.
"Administrative Access ... only affects ScreenOS 6.3.0r17 through 6.3.0r20," Worrall wrote in Sunday's update. "VPN Decryption ... only affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20."
"We strongly recommend that all customers update their systems and apply these patched releases with the highest priority," he added.
Juniper had not received any notifications of exploitation of the vulnerabilities when it issued its original alert last week, and as of Monday, it had nothing further to share on the security issues, spokesperson Danielle Hamel told TechNewsWorld.
Because the vulnerabilities are reminiscent of the disclosures whistleblower Ed Snowden made about NSA techniques to gain unauthorized access to various networking systems, questions have surfaced about whether the unauthorized code could be connected to backdoor government surveillance.
"The NSA ANT catalogue has detailed capabilities on penetrating Juniper firewalls and they have spent considerable time and effort building customized capabilities for several enterprise firewall vendors," LogicNow Security Lead Ian Trump told TechNewsWorld.
Juniper declined to respond to TechNewsWorld's specific questions about the timing of its discovery of the latest vulnerabilities, but the company vehemently denied working with government officials to install code that could exploit its own systems.
"As we've stated previously, Juniper Networks [takes] allegations of this nature seriously," said spokesperson Hamel. "To be clear, we do not work with governments or anyone else to purposefully introduce weaknesses or vulnerabilities into our products."
The company "consistently operates with the highest of ethical standards" and is committed to "maintaining the integrity, security and assurance" of its products, she said.
Juniper previously investigated reports published in Germany's Der Spiegel, which suggested that the NSA might be using "software implants" to exploit vulnerabilities in its BIOS.
Release notes from the company appear to show the affected ScreenOS flaws date back to at least 2012.
Open Source Solution?
"We don't know whether the culprit in this instance is the NSA or some other state-based actor, but it is clear that the network equipment providers are targets -- sometimes willingly, sometimes not," said Eli Dourado, research fellow and director of the Technology Policy Program at George Mason University's Mercatus Center.
Moving more of the code that runs the guts of the network to an open source model could prevent this type of intrusion, he said -- and in fact, he made that proposal in a 2013 New York Times essay, following Snowden's revelations about NSA surveillance practices.
"With more eyeballs on the code, we may be able to discourage some of these hacking attempts and better detect the ones that are not deterred," Dourado explained.
The potential impact on Juniper's customer base likely will be short term, said Avivah Litan, vice president and distinguished analyst at Gartner.
"I think it's safe to assume every network technology company has had its technology compromised by some government, and I think most CIOs realize that," she told TechNewsWorld. "Juniper is no different than others in that regard."