Juniper Networks has admitted that “unauthorized code” has been found in ScreenOS, the operating system for its NetScreen firewalls.
The code “could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections.”
More ReadingJuniper resets 'days since last rogue code incident' clockJuniper's VPN security hole is proof that govt backdoors are bonkersHow to log into any backdoored Juniper firewall – hard-coded password publishedJuniper 'fesses up to TWO attacks from 'unauthorised code'Juniper hardware and software to sleep in separate beds
And on The Register's reading of the situation, the unauthorised code may have been present since 2008, an assertion we make because Juniper's notice about the problem says it impacts ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20. ScreenOS 6.2 was released in 2008. Screen OS 6.3 came out in 2009.
We've asked Juniper if it has any theories about the origin of the code and have been told the company has nothing to say on the matter beyond the post we've linked to above and canned statements from its PR team.
Just what happened is therefore obscure for now, but the obvious scenarios aren't good news for Juniper.
The first scenario we're considering is an internal SNAFU that saw rejected code left in production releases of ScreenOS. That's an unfortunate error with potentially terrifying consequences, but also a rather "better" reason than our second scenario: parties unknown snuck the code into ScreenOS in order to do ill to Juniper customers. Would such malfeasants have done so in hope of finding something interesting, or in order to target known Juniper users?
Whatever the source of the code, the fact remains that a major vendor's security appliances have been revealed – by the vendor – to contain very dangerous code about which it knew nothing. For years. During which time customers' confidential communications may well have been monitored.
Juniper's issued an out-of-band patch for the problem and strongly recommends its application “as soon as possible.”
The Register has contacted Juniper to seek more detail about the situation, but is yet to receive a reply. ®