Security Platforms/Tools

Juniper to Remove Controversial Security Code

Juniper is upgrading its firewalls by replacing controversial Dual_EC and ANSI X9.31 random number generators that critics claim leave the devices vulnerable to serious attack, and were likely planted by the NSA or other government surveillance agencies with Juniper's cooperation.

In a blog post published 7:08 pm PST Friday, Bob Worrall, Juniper Networks Inc. (NYSE: JNPR) SVP CIO, says Juniper has investigated ScreenOS, the operating system used in its NetScreen firewalls, and Junos OS, the main operating system used in most of Juniper's products. "After a detailed review, there is no evidence of any other unauthorized code in ScreenOS nor have we found any evidence of unauthorized code in Junos OS," Worrall says. "The investigation also confirmed that it would be much more difficult to insert the same type of unauthorized code in Junos OS."

Juniper will replace Dual_EC and ANSI X9.31 with the same random number generators used in Junos OS in a subsequent ScreenOS release in the first half of 2016, Worrall says.

Screen OS has "sufficient cryptology" pending the planned replacement of Dual_EC, Worrall says.

On Thursday, a team of cryptographers gave a presentation at Stanford University showing Juniper's code "had been changed in multiple ways during 2008 to enable eavesdropping on virtual private network sessions by customers," Reuters says.

Nicholls Weaver of the International Computer Science Institute points a finger at the NSA for inserting vulnerable code in Juniper products, according to the Reuters report.

Dual_EC "is a pseudo-random number generator ... which the security community had long warned was insecure and could be exploited for use as a backdoor. Whoever created the backdoor in Juniper's software did exactly this, hijacking the insecure Dual_EC algorithm to make their secret portal work," according to a report on Wired.

Want to know more about security? Visit Light Reading's security content channel.

Juniper released the software version containing the security vulnerability "long after the security community had become aware of the security problems with Dual_EC," Wired says.

Why would Juniper undermine the security of its own products? Security experts say it might have been done to win lucrative US government contracts, according to Wired.

Juniper disclosed the vulnerability in its code last month and issued a patch. Juniper said it had "not received any reports of these vulnerabilities being exploited; however, we strongly recommend that customers update their systems and apply the patched releases with the highest priority." (See Juniper Warns of 'Unauthorized Code' on Its Firewalls.)

Related posts:

— Mitch Wagner, Circle me on Google+ Follow me on TwitterVisit my LinkedIn profileFollow me on Facebook, West Coast Bureau Chief, Light Reading. Got a tip about SDN or NFV? Send it to [email protected]

kq4ym 1/24/2016 | 6:22:34 PM
Re: NSA This might make an interesting plot for "Madame Secretary" and other government TV dramas. Just how enticing NSA and others might be with company thoughts of whether a lucrative government contract might be worth a trade off and what getting contracts down the road might depend on.
Mitch Wagner 1/11/2016 | 5:04:44 PM
Re: Not sure... It allows attackers to take over the appliance. 
mhhf1ve 1/11/2016 | 3:31:38 PM
Not sure... How did this security flaw allow "bad guys" access to VPN traffic? Unless that VPN traffic wasn't encrypted end-to-end....
KBode 1/11/2016 | 1:31:07 PM
Re: NSA I imagine having plausible deniability and no paper trail helps ease their worries somewhat about it hurting business?
danielcawrey 1/11/2016 | 12:59:46 PM
NSA Interesting read. I suppose that technology companies would be willing to put in backdoors for government contracts, but I would think they might lose business elsewhere. Why would private companies want to buy products with security holes? I guess maybe I don't understand the complexity of the situation here, but it is certainly a major concern for customers. 
Sign In