'Unauthorized Code' In Juniper Firewalls Could Decrypt VPN Traffic

m2pc writes: Ars Technica reports that Juniper Networks firewalls have been discovered to include "unauthorized code" inserted into their ScreenOS software. Juniper has has published an advisory addressing the matter, with instructions to patch the affected devices.

From the Ars article: "NetScreen firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are affected and require immediate patching. Release notes published by Juniper suggest the earliest vulnerable versions date back to at least 2012 and possibly earlier. ... The first flaw allows unauthorized remote administrative access to an affected device over SSH or telnet. Exploits can lead to complete compromise. 'The second issue may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic,' the advisory said." The rogue code was discovered during a recent internal source code review conducted by Juniper.

Welcome to the club

[nehumanuscrede]

says Cisco . . . . .

I'm not entirely certain why the government is bothering to raise such a fuss about strong crypto. ( Other than to make it look like they have no options ) While no evidence exists that Big Brother is responsible for it, they are the most likely suspects. Not much of a need to break the crypto itself when you can install a bypass of some sort into the mix.

I wonder how much it costs to coerce a programmer type to insert a few bits of code into your project.

Trust?

Thanks for disclosing this, Juniper, but why didn't you know about it three years ago? What else is hiding in your products? This is quite different from a software flaw introduced by a mere human. This is indicative of a poorly managed, haphazard approach to managing software development.

Re:Trust?

Sufficiently advanced malice is in distinguishable from incompetence.

"Unauthorized"?

[fuzzyfuzzyfungus]

The phrase "Unauthorized code" smells of weasel wording. If the malware was injected afterwards(either through a network attack or a physical intercept-and-tamper, then the manufacturer could reasonably call it "unauthorized" or "malware" or similar; but if they shipped it, how much more 'authorized' do you get?

Perhaps "mistakenly authorized after slipping past scrutiny" or "authorized by one or more of our employees who is also a spook", or "we fucked up"; but not really "unauthorized". Were I a customer, I'd want a much, much, better account of how exactly this 'unauthorized code' came to be present, when, and who knew about it, who didn't, and why or why not.

Re:"Unauthorized"?

[Gr8Apes]

Agile - something invented by people that did not want to document anything, not realizing that all they did was put themselves at the end of a bunch of bungie cords and get bounced about at the stakeholder puppetmasters whims, gathering crap and debris as they go. Not until the project is declared a failure do they come back with "but it didn't fail, we delivered all these incremental and desired items" while missing the point that incremental releases are irrelevant when you're needing a full product to be delivered last year.