Juniper kills weak crypto
ScreenOS has been cleansed of weak crypto components found last year.
The December 2015 discovery of “unauthorised code” in the software, the operating system for the firewalls it acquired when it bought Netscreen, left the company red-faced and scrambling to work out what happened.
Along the way, Juniper kicked off a code review. In this statement, the company says the ScreenOS update process is now complete.
The software now implements “the same random number generation technology currently employed across our broad portfolio of Junos OS products”, the post states, and the obsolete DUAL_EC_DRBG and ANSI X9.31 have been binned.
The two vulnerabilities were a secret administrative account in ScreenOS 6.3.0r17 through 6.3.0r20; and a VPN decryption vulnerability in 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20. At the time, Juniper said there would be no way for a customer to know if their networks had been compromised.
The discovery of the secret backdoors quickly attracted the attention of the FBI.
The vulnerabilities inevitably sparked speculation that the NSA was somehow responsible. ®