Juniper Networks is warning customers to patch their NetScreen enterprise firewalls against spyware that enables attackers to take over the machines and decrypt VPN traffic among corporate sites and with mobile employees.
The danger is that attackers could exploit the code “to gain administrative access to NetScreen devices and to decrypt VPN connections,” Juniper says in a security announcement.
It would enable smart attackers to exploit the vulnerability and wipe out log files, making compromises untraceable, the company says.
Here are questions and answers about what affected customers should do.
What devices are affected? Any product or platform running ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20. These include NetScreen-5200 and NetScreen-5400 enterprise firewalls.
What should customers do? Juniper says: “We strongly recommend that all customers update their systems and apply these patched releases with the highest priority.”
Where are these patches? Juniper has them available for download here.
Is there a workaround? No.
Has the spyware been used in the wild to crack affected machines? Juniper says: “At this time [Dec. 17], we have not received any reports of these vulnerabilities being exploited.”
How many machines are affected? Juniper hasn’t said.
How was this discovered? Juniper says it was found during “a recent internal code review.” It doesn’t say when that was or why it was undertaken.
How does Juniper characterize the problem? “Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections.”
What are the specifics of the vulnerabilities? There are two issues: The first, Juniper says, “allows unauthorized remote administrative access to the device over SSH or telnet. Exploitation of this vulnerability can lead to complete compromise of the affected system. “Upon exploitation of this vulnerability, the log file would contain an entry that ‘system’ had logged on followed by password authentication for a username.
“Note that a skilled attacker would likely remove these entries from the log file, thus effectively eliminating any reliable signature that the device had been compromised.”
What about the second issue? Juniper says: “The second issue may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic. It is independent of the first issue. “There is no way to detect that this vulnerability was exploited.”
How did this bad code get into ScreenOS: Juniper hasn’t said. Some point to documents stolen by Edward Snowden that say the NSA had hardware and software that targeted NetScreen devices and could persist through reboots and upgrades.
How long has this malicious code been there? Juniper hasn’t said, but some of the code being patched is as old as September 2012.
What functions do these devices perform? Juniper describes them as integrated firewalls and VPNs with DoS and DDoS protection and traffic management.
Is other Juniper gear affected? Juniper says there’s no evidence it is. The company makes products with a separate operating system called Junos, but says, “We have no evidence that the SRX or other devices running Junos are impacted at this time.” ScreenOS is the operating system running on NetScreen devices that were developed by the company NetScreen, which Juniper bought for $4 billion in stock in 2004.