Updated Juniper Networks has offered a more detailed description of the security issues resulting from its find of “unauthorised code” in ScreenOS, the software that powers its firewalls.
The company's knowledge base article on the incident says: “The first issue allows unauthorized remote administrative access to the device over SSH or telnet. Exploitation of this vulnerability can lead to complete compromise of the affected system.”
While the company points out that "upon exploitation of this vulnerability, the log file would contain an entry that ‘system’ had logged on followed by password authentication for a username.” It also notes that “a skilled attacker would likely remove these entries from the local log file, thus effectively eliminating any reliable signature that the device had been compromised.”
The second issue, the company says, “may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic. It is independent of the first issue.”
And here's the nasty part:
There is no way to detect that this vulnerability was exploited.
The United States Federal Bureau of Investigation is reportedly probing the matter, while US government agencies are liaising with Juniper. And so they ought: the company markets its products as military-grade spookware.
Speculation is naturally running high as to the source of the unauthorised code, with many suggesting a state-sponsored attack or and/or an attack by a criminal gang that sells government data.
For what it is worth, The Register has been contacted by a former Juniper staffer who suggested “Maybe you should be looking where Juniper's sustaining engineering is done for the ScreenOS products.”
That work's done in China.
The Register is well aware of the many problems that flow from assuming China is a source of attacks, not least that it is just plain convenient to blame the Middle Kingdom for attacks. We're also not willing to assume that any competent government has failed to develop networked attack and defence capabilities.
For the record, however, ScreenOS has its roots in China and Juniper's 2004 acquisition of NetScreen for US$3.4bn. Netscreen was founded by Chinese nationals, but Sunnyvale, California, was home. Juniper stated, in this canned statement from December 2004, that one of the reasons it decided to open a research and development centre in the Chinese capital, Beijing, was to “leverage the Chinese roots of NetScreen Technologies.”
It's not hard to find evidence of ongoing work on ScreenOS in Beijing: a quick trawl of LinkedIn turns up several Juniper employees who work on the operating system. The Register in no way suggests that those who work in Juniper's Beijing offices are in any way associated with the unauthorised code.
We nonetheless asked Juniper if the code is known to have come from the Beijing facility. That question, and others on when Juniper became aware of the code and whether it has advised governments about the situation were all met with the answer “We have nothing further to add at this time.” ®
Updated to add
About 10 hours after its latest "nothing to add", Juniper added something in the form of news that: "Since our initial announcement we’ve learned that the number of versions of ScreenOS affected by each of the issues is more limited than originally believed."
The good news is that the Administrative Access flaw (CVE-2015-7755) "only affects ScreenOS 6.3.0r17 through 6.3.0r20."
The VPN decryption flaw, aka CVE-2015-7756, "only affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20."
That's good news because it narrows the p0wnage window, but Juniper's nowhere near out of the woods as it is yet to explain how the rogue code made it into ScreenOS to begin with.