Juniper Finds “Unauthorized Code” in ScreenOS; VPNs Vulnerable to Decryption

Juniper Networks announced yesterday evening that they had released an emergency patch after they discovered “unauthorized code” in ScreenOS, the operating system of its NetScreen firewalls, that could allow “a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections.” Juniper Networks provides services that are used by the US government as well as private corporations.

A blog on the Juniper site stated that an internal code review revealed the vulnerabilities. Adding that “All NetScreen devices using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are affected by these issues and require patching. We strongly recommend that all customers update their systems and apply these patched releases with the highest priority.”

While so far they say that they have received no reports of any incidents where these vulnerabilities were exploited, Juniper strongly recommends applying the update as soon as possible.

We wanted to make our customers aware of this vulnerability, and we advise anyone using Juniper to complete the update as soon as possible.

This discovery of “secret code ” in the Juniper system also illustrates the dangers of the encryption backdoors the US government is continually pushing for. As outlined in Wired: “This is a very good showcase for why backdoors are really something governments should not have in these types of devices because at some point it will backfire.” This code was a “backdoor” itself, and may have allowed hackers to take control of the system and decrypt encrypted traffic running through the VPN on the Juniper firewalls. Forbes also reinforces this point.

Additional information on applying the update is available on the Juniper Security Incident Response website.