Juniper Networks code review reveals no new backdoors

Juniper's continuing internal code audit closes some vulnerabilities in Junos OS products and, even better, unearths no other examples of spying code

Juniper Networks code review reveals no new backdoors
Credit: Guilherme Tavares

After Juniper Networks discovered unauthorized code in its networking gear late last year, the company's developers launched an internal code review for its other networking product lines. As a result of the effort, Juniper found and patched a number of security vulnerabilities in Junos OS, the FreeBSD-based operating system used in Juniper's routing, switching, and security devices, that could lead to privilege escalation, denial-of-service, and spoofing attacks.

The good news is Juniper didn't uncover any vulnerabilities that were already being exploited. More good news: The patches are available and should be applied.

Juniper Networks launched an investigation into all of its products late last year after discovering unauthorized code in its ScreenOS software, which is used in NetScreen firewall, VPN, and other traffic-shaping technology. The unauthorized code let attackers remotely gain administrator access to affected devices via SSH and telnet, as well as to decrypt VPN traffic passing through the network appliance.

Security experts concluded that multiple nation-state groups, including the NSA, had most likely taken advantage of the weakness in ScreenOS encryption and had been able to decrypt and monitor Juniper traffic in the United States and around the world.

The big question back then was whether other Juniper gear had been similarly compromised. The answer so far seems to be no.

Issues fixed in Junos OS

Juniper's internal product security testing team found multiple escalation-of-privilege flaws in Junos OS. Attackers can exploit certain combinations of Junos OS command-line commands and arguments to gain root access (CVE-2016-1271) to the operating system, according to the Juniper Networks SIRT (Security Incident Response Team). The vulnerability, which has a common vulnerability scoring system (CVSS) value of 7.8 and is rated as high severity, would let attackers achieve elevated privileges and gain complete control of the device, the advisory warned. Fixes are available in the following versions: Junos OS 12.1X46-D45, 12.1X47-D30, 12.3R11, 12.3X48-D25, 13.2R8, 13.3R7, 14.1R6, 14.2R4, 15.1R1, 15.1F2, 15.1X49-D15, and all subsequent releases.

"No other Juniper Networks products or platforms are affected by these issues," the advisory said.

As a workaround, administrators can also use access lists or firewall filters to limit access to the router's CLI only from trusted hosts or from "highly trusted" administrators. Juniper said these vulnerabilities are currently not being exploited in the wild.

Juniper also fixed a BGP processing bug that could crash the RPD daemon in any product or platform running Junos OS with family BGP-based L2VPN or VPLS (CVE-2016-1270). Upon receipt of a specially crafted BGP "family l2vpn" update message, the RPD daemon would crash and restart.

With enough volume, this attack could lead to an extended denial-of-service attack. The good news is that the vulnerability can't easily be exploited because it's configuration-specific, as well as the fact the attack vector can be triggered only from inside the customer network.

Finally, Juniper closed 11 security vulnerabilities in the cURL and libcurl libraries, which are related to the ability to download updates or import data into Junos devices. Of the 11, only three have a CVSS score of higher than 5.5. The fixes are in Libcurl and cURL versions 7.42.1.

The denial-of-service flaw in hostname processing is the most severe, with a CVSS score of 9, as remote attackers could use a zero-length host name (http://:80, for example) to cause an out-of-bounds read or write error and crash the system. The other denial-of-service bug in cookie sanitization (CVE-2015-3145) could let remote attackers cause an out-of-bounds read or write error with a cookie path containing only a double-quote character. The final bug in libcurl's DarwinSSL implementation would allow man-in-the-middle attackers to spoof servers via a specially crafted TLS certificate.

The ongoing ScreenOS saga

Juniper recently updated ScreenOS to swap out controversial random-number-generator components for a more modern and superior method. Experts believe nation-state snoops were able to spy on digital communications because ScreenOS had used DUAL_EC_DRBG and ANSI X9.31 random-number-generator components, which are considered flawed.

ScreenOS now uses HMAC-DRBG, "the same random-number-generation technology currently employed across (its) broad portfolio of Junes OS products," Juniper said in a brief bulletin posted last week. That latest version, ScreenOS 6.3.0r22, contains the changed code.

Juniper Networks has been quiet about its reasons for using DUAL_EC in the first place, but it's a good sign that the company has changed how ScreenOS handles encryption.

In case administrators missed it, devices running ScreenOS was also susceptible to the DROWN attack, as it supported the long-deprecated SSLv2 protocol. The vulnerability was fixed in ScreenOS 6.3.0r19. Administrators could also disable SSLv2 and SSLv3 manually via the "unset ssl ssl3" CLI command.

There's no such thing as bug-free software, so Juniper's code review is welcome. There may be no other signs that anyone else has backdoored the company's networking gear, but nation-state spooks aren't the only malicious actors to worry about. Prioritize and apply those patches before someone exploits those flaws.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.