Juniper is upgrading its firewalls by replacing controversial Dual_EC and ANSI X9.31 random number generators that critics claim leave the devices vulnerable to serious attack, and were likely planted by the NSA or other government surveillance agencies with Juniper's cooperation.
In a blog post published 7:08 pm PST Friday, Bob Worrall, Juniper Networks Inc. (NYSE: JNPR) SVP CIO, says Juniper has investigated ScreenOS, the operating system used in its NetScreen firewalls, and Junos OS, the main operating system used in most of Juniper's products. "After a detailed review, there is no evidence of any other unauthorized code in ScreenOS nor have we found any evidence of unauthorized code in Junos OS," Worrall says. "The investigation also confirmed that it would be much more difficult to insert the same type of unauthorized code in Junos OS."
Juniper will replace Dual_EC and ANSI X9.31 with the same random number generators used in Junos OS in a subsequent ScreenOS release in the first half of 2016, Worrall says.
Screen OS has "sufficient cryptology" pending the planned replacement of Dual_EC, Worrall says.
On Thursday, a team of cryptographers gave a presentation at Stanford University showing Juniper's code "had been changed in multiple ways during 2008 to enable eavesdropping on virtual private network sessions by customers," Reuters says.
Nicholls Weaver of the International Computer Science Institute points a finger at the NSA for inserting vulnerable code in Juniper products, according to the Reuters report.
Dual_EC "is a pseudo-random number generator ... which the security community had long warned was insecure and could be exploited for use as a backdoor. Whoever created the backdoor in Juniper's software did exactly this, hijacking the insecure Dual_EC algorithm to make their secret portal work," according to a report on Wired.
Juniper released the software version containing the security vulnerability "long after the security community had become aware of the security problems with Dual_EC," Wired says.
Why would Juniper undermine the security of its own products? Security experts say it might have been done to win lucrative US government contracts, according to Wired.
Juniper disclosed the vulnerability in its code last month and issued a patch. Juniper said it had "not received any reports of these vulnerabilities being exploited; however, we strongly recommend that customers update their systems and apply the patched releases with the highest priority." (See Juniper Warns of 'Unauthorized Code' on Its Firewalls.)
- British Spy Agency & NSA Tied to Juniper Vulnerabilities – Reports
- Cisco Launches Code Review Following Juniper Backdoor Disclosure
- FBI Investigating Juniper VPN Hack