BOMBSHELL! —

“Unauthorized code” in Juniper firewalls decrypts encrypted VPN traffic

Backdoor in NetScreen firewalls gives attackers admin access, VPN decrypt ability.

An operating system used to manage firewalls sold by Juniper Networks contains unauthorized code that surreptitiously decrypts traffic sent through virtual private networks, officials from the company warned Thursday.

It's not clear how the code got there or how long it has been there. An advisory published by the company said that NetScreen firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are affected and require immediate patching. Release notes published by Juniper suggest the earliest vulnerable versions date back to at least 2012 and possibly earlier. There's no evidence right now that the backdoor was put in other Juniper OSes or devices.

"During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections," Juniper Chief Information officer Bob Worrall wrote. "Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS."

A separate advisory from Juniper says there are two separate vulnerabilities, but stops short of describing either as "unauthorized code." The first flaw allows unauthorized remote administrative access to an affected device over SSH or telnet. Exploits can lead to complete compromise. "The second issue may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic," the advisory said. "It is independent of the first issue. There is no way to detect that this vulnerability was exploited."

Whodunit?

Word that the VPN-breaking code was the result of unauthorized code, as opposed to an inadvertent programming flaw, touched off immediate concern that ScreenOS had been deliberately tampered with. The most likely culprit for such tampering would be the NSA or one of its many counterparts around the world. Classified documents leaked by former NSA subcontractor Edward Snowden showed NSA agents intercepting network gear from Cisco Systems as it was being shipped to a customer. They installed covert implant firmware onto the device before sending it to its final destination.

As involved as that process was, getting unauthorized code covertly installed into an official operating system and keeping it there for years would appear to be an even more complicated—and brazen—undertaking. This 2013 article published by Der Spiegel reported that an NSA operation known as FEEDTROUGH worked against Juniper firewalls and gave the agency persistent backdoor access.

"This malware burrows into Juniper firewalls and makes it possible to smuggle other NSA programs into mainframe computers," the article reported. "Thanks to FEEDTROUGH, these implants can, by design, even survive 'across reboots and software upgrades.' In this way, US government spies can secure themselves a permanent presence in computer networks. The catalog states that FEEDTROUGH 'has been deployed on many target platforms.'"

Of course, it's also possible the backdoor was installed some other way. Juniper's advisory makes no mention who it suspects is behind the move or what steps it's taking to find out. Ars has asked Juniper for more details and will update this post as warranted.

Channel Ars Technica