Juniper promises to fix ScreenOS cryptography ... eventually

Juniper said it has found no other evidence of tampering in its source code and pledged to replace the broken cryptographic functions in its VPN technology with a robust alternative

Juniper Networks plans to remove the problematic cryptographic functions used by its firewall and BPN appliances. Despite the good news, Juniper still has not answered some of the most perplexing questions regarding the ScreenOS saga.

Juniper Networks launched an investigation in December after discovering unauthorized code in its ScreenOS software, which is used in NetScreen firewall, VPN, and traffic-shaping technology. The unauthorized code lets an attacker remotely gain administrative access to affected devices via SSH and telnet. It also lets an attacker with access to VPN connections decrypt VPN traffic passing through the appliance.

The investigation did not uncover other instances of unauthorized code in Juniper software, but the company decided to modify ScreenOS to “enhance the robustness of the ScreenOS random-number generation subsystem,” Bob Worral, senior vice-president and CIO of Juniper Networks, wrote on the company’s Security Incident Response blog.

Juniper will replace the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) and ANSI X9.31 in ScreenOS 6.3 with the same random-number technology used in Junos OS products. The investigation confirmed that Junos OS, the operating system used in Juniper’s routing, switching, and security appliances, had not been tampered with, which is why the new ScreenOS will adopt the same mechanism.

The version of ScreenOS with the replacement random-number generator will be available at some point “in the first half of 2016,” Worral said.

Juniper examined hot spots in Junos OS or areas containing code similar to ScreenOS, such as code for VPN, encryption, and authentication. In addition, the company inspected the build environments for evidence of tampering or unauthorized access.

“The investigation also confirmed that it would be much more difficult to insert the same type of unauthorized code in Junos OS,” Worral said.

Juniper’s ScreenOS mystery

Researchers had traced the decryption vulnerability to the fact that ScreenOS used Dual EC, even though weaknesses in the cryptographic function were well-known. Juniper had previously defended the decision by claiming it had implemented safeguards to offset the weaknesses.

However, Stephen Checkoway, a computer science professor at the University of Chicago, found signs that Juniper introduced Dual EC into ScreenOS long after it had implemented ANSI X9.31. That doesn’t make sense since Dual EC, which the National Security Agency subverted, undermined an already secure system. Checkoway was part of a team of cryptographic experts who looked at how Juniper’s modifications further weakened ANSI X9.31 and presented the findings at Real World Cryptography Conference 2016 in Stanford last week.

There are now indications that multiple intelligence agencies had altered ScreenOS.

“So Juniper has probably had 3! separate foreign intelligence agencies, one of which knew another one got in to rekey the lock,” Nicholas Weaver, a researcher at the International Computer Science Institute and the University of California at Berkeley, posted on Twitter.

Juniper said it is still investigating exactly how the unauthorized code was added to ScreenOS. The company also has not provided any explanations on why it used Dual EC or made the modifications that weakened ANSI X9.31.

Organizations still at risk

Despite reports that attackers are attempting to exploit the authentication bypass flaw and the fact that Juniper promptly patched the vulnerabilities with ScreenOS 6.2.0r19 and 6.3.0r21, more than 1,500 devices remain unpatched as of last week, according to security consultant Julio Cesar Fort.

Juniper’s customer list includes major carriers such as AT&T and Verizon, as well as various branches of the U.S. government. VPN’s entire point is to protect network traffic from eavesdroppers. Not closing the decryption vulnerability in Juniper appliances means attackers have access to potentially sensitive information. Organizations using Juniper appliances need to promptly apply the ScreenOS patch and be ready to update to the new version as soon as it is released over the next few months.

Copyright © 2016 IDG Communications, Inc.