The Channel logo


By | Simon Sharwood 17th December 2015 22:41

'Unauthorized code' that decrypts VPNs found in Juniper's ScreenOS

And it may have been there since 2008, making this a late contender for FAIL of the year

Juniper Networks has admitted that “unauthorized code” has been found in ScreenOS, the operating system for its NetScreen firewalls.

The code “could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections.”

And on The Register's reading of the situation, the unauthorised code may have been present since 2008, an assertion we make because Juniper's notice about the problem says it impacts ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20. ScreenOS 6.2 was released in 2008. Screen OS 6.3 came out in 2009.

We've asked Juniper if it has any theories about the origin of the code and have been told the company has nothing to say on the matter beyond the post we've linked to above and canned statements from its PR team.

Just what happened is therefore obscure for now, but the obvious scenarios aren't good news for Juniper.

The first scenario we're considering is an internal SNAFU that saw rejected code left in production releases of ScreenOS. That's an unfortunate error with potentially terrifying consequences, but also a rather "better" reason than our second scenario: parties unknown snuck the code into ScreenOS in order to do ill to Juniper customers. Would such malfeasants have done so in hope of finding something interesting, or in order to target known Juniper users?

Whatever the source of the code, the fact remains that a major vendor's security appliances have been revealed – by the vendor – to contain very dangerous code about which it knew nothing. For years. During which time customers' confidential communications may well have been monitored.

Juniper's issued an out-of-band patch for the problem and strongly recommends its application “as soon as possible.”

The Register has contacted Juniper to seek more detail about the situation, but is yet to receive a reply. ®

comment icon Read 36 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe