{"id":675,"date":"2016-01-10T04:11:11","date_gmt":"2016-01-10T12:11:11","guid":{"rendered":"https:\/\/cloudinsidr.com\/content\/?p=675"},"modified":"2016-03-01T19:08:46","modified_gmt":"2016-03-02T03:08:46","slug":"juniper-networks-embarrassment-lives-on-in-its-flawed-ssl-configuration","status":"publish","type":"post","link":"https:\/\/www.cloudinsidr.com\/content\/juniper-networks-embarrassment-lives-on-in-its-flawed-ssl-configuration\/","title":{"rendered":"Juniper Networks&#8217; Embarrassment Lives On in Its Flawed SSL Configuration"},"content":{"rendered":"<p>Recent revelations from the maker of networking gear Juniper Networks have shaken the industry: Juniper has identified unauthorized code in ScreenOS, its operating system that powers the NetScreen line of Juniper firewalls. Then last Friday, cryptography researchers revealed that\u00a0Juniper has allowed changes to its code that could enable eavesdropping on encrypted virtual private network sessions of its customers.<\/p>\n<figure id=\"attachment_682\" aria-describedby=\"caption-attachment-682\" style=\"width: 660px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/cloudinsidr.com\/content\/juniper-networks-embarrassment-lives-on-in-its-flawed-ssl-configuration\/juniper_networks_headquarters\/\" rel=\"attachment wp-att-682\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-682 size-large\" src=\"https:\/\/cloudinsidr.com\/content\/wp-content\/uploads\/2016\/01\/Juniper_Networks_headquarters-1024x493.png\" alt=\"Juniper Networks headquarters\" width=\"660\" height=\"318\" srcset=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/01\/Juniper_Networks_headquarters-1024x493.png 1024w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/01\/Juniper_Networks_headquarters-600x289.png 600w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/01\/Juniper_Networks_headquarters-300x144.png 300w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/01\/Juniper_Networks_headquarters-768x370.png 768w\" sizes=\"(max-width: 660px) 100vw, 660px\" \/><\/a><figcaption id=\"caption-attachment-682\" class=\"wp-caption-text\">Juniper Networks headquarters (provided directly by Juniper Networks under the Creative Commons Attribution-Share Alike 3.0 Unported License)<\/figcaption><\/figure>\n<p><!--more--><\/p>\n<p>All in all, not one but two separate security vulnerabilities came to light:<\/p>\n<ul>\n<li>an administrative access backdoor to NetScreen devices (CVE-2015-7755), and<\/li>\n<li>a separate vulnerability that could\u00a0be leveraged by a &#8220;knowledgeable attacker&#8221; (using a valid user password) allowing them to <strong>monitor VPN traffic<\/strong> and <strong>decrypt VPN connections<\/strong> (CVE-2015-7756).<\/li>\n<\/ul>\n<p>The administrative access backdoor &#8220;only&#8221; impacts ScreenOS 6.3.0r17 through 6.3.0r20.\u00a0How &#8220;cool&#8221; is that.<\/p>\n<p>Realizing the potential for lasting damage to its otherwise rather flawless reputation, Juniper has hurriedly patched ScreenOS\u00a0with the release of versions\u00a06.2.0r19 and 6.3.0r21 (also 6.3.0r12b, 6.3.0r13b, 6.3.0r14b, 6.3.0r15b, 6.3.0r16b, 6.3.0r17b, 6.3.0r18b and 6.3.0r19b), but forgot to patch its own flawed SSL configuration (see below).<\/p>\n<figure id=\"attachment_693\" aria-describedby=\"caption-attachment-693\" style=\"width: 1000px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/cloudinsidr.com\/content\/juniper-networks-embarrassment-lives-on-in-its-flawed-ssl-configuration\/juniper-2\/\" rel=\"attachment wp-att-677\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-693 size-full\" src=\"https:\/\/cloudinsidr.com\/content\/wp-content\/uploads\/2016\/01\/Juniper.jpg\" alt=\"Juniper Networks faulty SSL setup\" width=\"1000\" height=\"817\" srcset=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/01\/Juniper.jpg 1000w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/01\/Juniper-600x490.jpg 600w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/01\/Juniper-300x245.jpg 300w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/01\/Juniper-768x627.jpg 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/a><figcaption id=\"caption-attachment-693\" class=\"wp-caption-text\">Juniper Networks faulty SSL setup<\/figcaption><\/figure>\n<p>The authentication backdoor could\u00a0be exploited via SSH or Telnet using a default password that is set on every affected device, but why would you want to allow Telnet connections to a firewall in the first place?<\/p>\n<p>The inconspicuously looking password has been hidden in the ScreenOS code for years and was able to remain undetected due to its sheer brilliance (makes you wonder who signed off on the code without as much as reading it):<\/p>\n<pre class=\"\">&lt;&lt;&lt; %s(un='%s') = %u<\/pre>\n<p>According to Juniper, the password could\u00a0&#8220;only&#8221; be leveraged by an attacker who knew\u00a0a valid username for the device. Go figure.<\/p>\n<figure id=\"attachment_695\" aria-describedby=\"caption-attachment-695\" style=\"width: 660px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/cloudinsidr.com\/content\/juniper-networks-embarrassment-lives-on-in-its-flawed-ssl-configuration\/juniper_password\/\" rel=\"attachment wp-att-695\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-695 size-large\" src=\"https:\/\/cloudinsidr.com\/content\/wp-content\/uploads\/2016\/01\/Juniper_password-1024x292.jpg\" alt=\"Juniper Networks: password for the backdoor\" width=\"660\" height=\"188\" srcset=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/01\/Juniper_password-1024x292.jpg 1024w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/01\/Juniper_password-600x171.jpg 600w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/01\/Juniper_password-300x86.jpg 300w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/01\/Juniper_password-768x219.jpg 768w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/01\/Juniper_password.jpg 1516w\" sizes=\"(max-width: 660px) 100vw, 660px\" \/><\/a><figcaption id=\"caption-attachment-695\" class=\"wp-caption-text\">Juniper Networks: password for the backdoor (source: Ars Technica)<\/figcaption><\/figure>\n<p>The roots of Juniper&#8217;s embarrassment run deeper than incompetence. In a public announcement\u00a0this past\u00a0Friday, Juniper Networks Inc said that it would stop using a piece of security code that analysts believe was developed by the National Security Agency in order to eavesdrop on the users of\u00a0technology products. During a presentation at Stanford University, a team of cryptographers revealed that\u00a0Juniper&#8217;s code had been changed in multiple ways during 2008 to enable eavesdropping on encrypted VPN\u00a0sessions.<\/p>\n<p>Juniper, for its part, has admitted to code changes going back to 2012 and 2014.\u00a0According to\u00a0<strong>Hovav Shacham<\/strong>, a security researcher of the University of California, San Diego, the 2014 backdoor was straightforward, allowing anyone with the right password access to\u00a0everything. In\u00a02012, Juniper\u00a0changed a mathematical constant in\u00a0Dual Elliptic Curve (Dual EC) used in\u00a0its\u00a0Netscreen products that should have enabled\u00a0its author to\u00a0eavesdrop on supposedly &#8220;encrypted&#8221; communications. In its original patch, Juniper hurriedly reversed the constant\u00a0to the version that had been in use after the 2008 changes, but failed to explain why it was relying on a faulty algorithm to begin with.<\/p>\n<p>Dual Elliptic Curve cryptography is being used most prominently by\u00a0RSA, a member company in\u00a0the EMC Federation, which according to <a href=\"http:\/\/www.reuters.com\/article\/us-spying-juniper-idUSKBN0UN07520160109\" target=\"_blank\">Reuters <\/a>was granted\u00a0a $10 million federal contract to distribute it in a software kit to be\u00a0used by\u00a0others.\u00a0(EMC is currently in the process of being acquired by\u00a0Dell, Inc.).<\/p>\n<p>In the meantime, <strong><a href=\"http:\/\/www.fortinet.com\/\" target=\"_blank\">Fortinet<\/a><\/strong>, another maker of network security gear, landed\u00a0in hot water when a hard-coded password backdoor\u00a0to its <strong>FortiGate<\/strong> firewalls was publicly revealed (&#8220;FGTAbc11*xy+Qqz27&#8221;, you&#8217;re welcome). At least Fortinet has discovered the issue and quietly patched the vulnerability back in July 2014 (CVE-2014-2216) in version 5.2.3\u00a0without releasing a security advisory at the time.\u00a0A\u00a0<a href=\"http:\/\/www.fortiguard.com\/advisory\/fortios-ssh-undocumented-interactive-login-vulnerability\" target=\"_blank\">security\u00a0advisory <\/a>\u00a0calling on customers to perform upgrades\u00a0has been only\u00a0released\u00a0recently in response to the public outcry over the hard-coded password vulnerability.<\/p>\n<blockquote class=\"twitter-tweet\" lang=\"en\">\n<p dir=\"ltr\" lang=\"en\">We are safe\u2026 We are protected by 2 layers of firewalls: Juniper &amp; Fortigate! <a href=\"https:\/\/twitter.com\/hashtag\/backdoors?src=hash\">#backdoors<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/infosechumor?src=hash\">#infosechumor<\/a><\/p>\n<p>\u2014 Xavier Mertens (@xme) <a href=\"https:\/\/twitter.com\/xme\/status\/687243555476213761\">January 13, 2016<\/a><\/p><\/blockquote>\n<p><script src=\"\/\/platform.twitter.com\/widgets.js\" async=\"\" charset=\"utf-8\"><\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recent revelations from the maker of networking gear Juniper Networks have shaken the industry: Juniper has identified unauthorized code in ScreenOS, its operating system that powers the NetScreen line of Juniper firewalls. Then last Friday, cryptography researchers revealed that\u00a0Juniper has allowed changes to its code that could enable eavesdropping on encrypted virtual private network sessions [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":682,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[17,33,115,89],"tags":[98,96,97,19,38],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v14.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Juniper Networks&#039; Embarrassment Lives On in Its Flawed SSL Configuration - CloudInsidr<\/title>\n<meta name=\"robots\" content=\"index, follow\" \/>\n<meta name=\"googlebot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta name=\"bingbot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cloudinsidr.com\/content\/juniper-networks-embarrassment-lives-on-in-its-flawed-ssl-configuration\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Juniper Networks&#039; Embarrassment Lives On in Its Flawed SSL Configuration - CloudInsidr\" \/>\n<meta property=\"og:description\" content=\"Recent revelations from the maker of networking gear Juniper Networks have shaken the industry: Juniper has identified unauthorized code in ScreenOS, its operating system that powers the NetScreen line of Juniper firewalls. Then last Friday, cryptography researchers revealed that\u00a0Juniper has allowed changes to its code that could enable eavesdropping on encrypted virtual private network sessions [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cloudinsidr.com\/content\/juniper-networks-embarrassment-lives-on-in-its-flawed-ssl-configuration\/\" \/>\n<meta property=\"og:site_name\" content=\"CloudInsidr\" \/>\n<meta property=\"article:published_time\" content=\"2016-01-10T12:11:11+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2016-03-02T03:08:46+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/01\/Juniper_Networks_headquarters-1024x493.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"493\" \/>\n<meta name=\"twitter:card\" content=\"summary\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#website\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/\",\"name\":\"CloudInsidr\",\"description\":\"Cyber security, infotech\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/www.cloudinsidr.com\/content\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/juniper-networks-embarrassment-lives-on-in-its-flawed-ssl-configuration\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/01\/Juniper_Networks_headquarters.png\",\"width\":3264,\"height\":1572,\"caption\":\"Juniper Networks headquarters (provided directly by Juniper Networks under the Creative Commons Attribution-Share Alike 3.0 Unported License)\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/juniper-networks-embarrassment-lives-on-in-its-flawed-ssl-configuration\/#webpage\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/juniper-networks-embarrassment-lives-on-in-its-flawed-ssl-configuration\/\",\"name\":\"Juniper Networks' Embarrassment Lives On in Its Flawed SSL Configuration - CloudInsidr\",\"isPartOf\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/juniper-networks-embarrassment-lives-on-in-its-flawed-ssl-configuration\/#primaryimage\"},\"datePublished\":\"2016-01-10T12:11:11+00:00\",\"dateModified\":\"2016-03-02T03:08:46+00:00\",\"author\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#\/schema\/person\/dd6ee9cb21cf05763fd7cff3d6f11b2b\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cloudinsidr.com\/content\/juniper-networks-embarrassment-lives-on-in-its-flawed-ssl-configuration\/\"]}]},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#\/schema\/person\/dd6ee9cb21cf05763fd7cff3d6f11b2b\",\"name\":\"Cloud Insidr\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/8b2fa1415b3d573b97d818b8f8f83b7c?s=96&d=mm&r=g\",\"caption\":\"Cloud Insidr\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/675"}],"collection":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/comments?post=675"}],"version-history":[{"count":18,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/675\/revisions"}],"predecessor-version":[{"id":729,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/675\/revisions\/729"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/media\/682"}],"wp:attachment":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/media?parent=675"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/categories?post=675"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/tags?post=675"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}