The Channel logo

News

By | Simon Sharwood 17th December 2015 22:41

'Unauthorized code' that decrypts VPNs found in Juniper's ScreenOS

And it may have been there since 2008, making this a late contender for FAIL of the year

Juniper Networks has admitted that “unauthorized code” has been found in ScreenOS, the operating system for its NetScreen firewalls.

The code “could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections.”

And on The Register's reading of the situation, the unauthorised code may have been present since 2008, an assertion we make because Juniper's notice about the problem says it impacts ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20. ScreenOS 6.2 was released in 2008. Screen OS 6.3 came out in 2009.

We've asked Juniper if it has any theories about the origin of the code and have been told the company has nothing to say on the matter beyond the post we've linked to above and canned statements from its PR team.

Just what happened is therefore obscure for now, but the obvious scenarios aren't good news for Juniper.

The first scenario we're considering is an internal SNAFU that saw rejected code left in production releases of ScreenOS. That's an unfortunate error with potentially terrifying consequences, but also a rather "better" reason than our second scenario: parties unknown snuck the code into ScreenOS in order to do ill to Juniper customers. Would such malfeasants have done so in hope of finding something interesting, or in order to target known Juniper users?

Whatever the source of the code, the fact remains that a major vendor's security appliances have been revealed – by the vendor – to contain very dangerous code about which it knew nothing. For years. During which time customers' confidential communications may well have been monitored.

Juniper's issued an out-of-band patch for the problem and strongly recommends its application “as soon as possible.”

The Register has contacted Juniper to seek more detail about the situation, but is yet to receive a reply. ®

comment icon Read 36 comments on this article or post a comment alert Send corrections

Opinion

Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella
Stranded_ships

Chris Mellor

Thousands of layoffs announced as spinning rust enters its death spiral

Features

Locker room jocks photo via Shutterstock
Best locker-room strategy: Avoid emulating AWS directly
STRASBOURG, JUNE 29, 2016: The seat of the European Parliament. by Marco Aprile for shutterstock. EDITORIAL USE ONLY
Plan b, image via Shutterstock
EU workers, new markets: post-Brexit pressure on May & Co
Tough question, pic via Shutterstock