Juniper to Remove Controversial Security Code

Company plans to upgrade the NetScreen Screen OS in the first half of 2016 to eliminate code that could be used to introduce a serious security vulnerability.

Mitch Wagner, Executive Editor, Light Reading

January 10, 2016

3 Min Read
Light Reading logo in a gray background | Light Reading

Juniper is upgrading its firewalls by replacing controversial Dual_EC and ANSI X9.31 random number generators that critics claim leave the devices vulnerable to serious attack, and were likely planted by the NSA or other government surveillance agencies with Juniper's cooperation.

In a blog post published 7:08 pm PST Friday, Bob Worrall, Juniper Networks Inc. (NYSE: JNPR) SVP CIO, says Juniper has investigated ScreenOS, the operating system used in its NetScreen firewalls, and Junos OS, the main operating system used in most of Juniper's products. "After a detailed review, there is no evidence of any other unauthorized code in ScreenOS nor have we found any evidence of unauthorized code in Junos OS," Worrall says. "The investigation also confirmed that it would be much more difficult to insert the same type of unauthorized code in Junos OS."

Juniper will replace Dual_EC and ANSI X9.31 with the same random number generators used in Junos OS in a subsequent ScreenOS release in the first half of 2016, Worrall says.

Screen OS has "sufficient cryptology" pending the planned replacement of Dual_EC, Worrall says.

On Thursday, a team of cryptographers gave a presentation at Stanford University showing Juniper's code "had been changed in multiple ways during 2008 to enable eavesdropping on virtual private network sessions by customers," Reuters says.

Nicholls Weaver of the International Computer Science Institute points a finger at the NSA for inserting vulnerable code in Juniper products, according to the Reuters report.

Dual_EC "is a pseudo-random number generator ... which the security community had long warned was insecure and could be exploited for use as a backdoor. Whoever created the backdoor in Juniper's software did exactly this, hijacking the insecure Dual_EC algorithm to make their secret portal work," according to a report on Wired.

Want to know more about security? Visit Light Reading's security content channel.

Juniper released the software version containing the security vulnerability "long after the security community had become aware of the security problems with Dual_EC," Wired says.

Why would Juniper undermine the security of its own products? Security experts say it might have been done to win lucrative US government contracts, according to Wired.

Juniper disclosed the vulnerability in its code last month and issued a patch. Juniper said it had "not received any reports of these vulnerabilities being exploited; however, we strongly recommend that customers update their systems and apply the patched releases with the highest priority." (See Juniper Warns of 'Unauthorized Code' on Its Firewalls.)

Related posts:

— Mitch Wagner, Circle me on Google+ Follow me on TwitterVisit my LinkedIn profileFollow me on Facebook, West Coast Bureau Chief, Light Reading. Got a tip about SDN or NFV? Send it to [email protected].

About the Author

Mitch Wagner

Executive Editor, Light Reading

San Diego-based Mitch Wagner is many things. As well as being "our guy" on the West Coast (of the US, not Scotland, or anywhere else with indifferent meteorological conditions), he's a husband (to his wife), dissatisfied Democrat, American (so he could be President some day), nonobservant Jew, and science fiction fan. Not necessarily in that order.

He's also one half of a special duo, along with Minnie, who is the co-habitor of the West Coast Bureau and Light Reading's primary chewer of sticks, though she is not the only one on the team who regularly munches on bark.

Wagner, whose previous positions include Editor-in-Chief at Internet Evolution and Executive Editor at InformationWeek, will be responsible for tracking and reporting on developments in Silicon Valley and other US West Coast hotspots of communications technology innovation.

Beats: Software-defined networking (SDN), network functions virtualization (NFV), IP networking, and colored foods (such as 'green rice').

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like