Slashdot Mirror

← Back to Stories (view on slashdot.org)

Juniper OS Flaw Allowed Forged Certificates (arstechnica.com)

Posted by EditorDavid on from the trusted-sources dept.

Slashdot reader disccomp shares an article from Ars Technica: In an advisory posted Wednesday, Juniper officials said they just fixed a bug in the company's Junos operating system that allowed adversaries to masquerade as trusted parties. The impersonation could be carried out by presenting a forged cryptographic certificate that was signed by the attacker rather than by a trusted certificate authority that normally vets the identity of the credential holder...

"It seems that Junos was accepting specially crafted, invalid certificates as trusted," said Stephen Checkoway, a computer scientist at the University of Illinois at Chicago who recently focused on security in Juniper products. "This would enable anyone to create a VPN connection and gain access to the private network, e.g., a private, corporate network."

26 comments

  1. All they had to do by Master5000 · · Score: 1, Insightful

    ... was to make the damn thing secure. That's why it exists. And they still failed. It's like selling a bread that doesn't taste or has the same ingredients like a real bread. But you still call it bread and sell it. These companies should be boycotted. It's our security that we're talking about! There should be repercussions for these kind of failures!

    1. Re:All they had to do by JustAnotherOldGuy · · Score: 1

      ... was to make the damn thing secure. That's why it exists. And they still failed. It's like selling a bread that doesn't taste or has the same ingredients like a real bread.

      Agreed...they had ONE job...all it had to do was what it's supposed to do, and they couldn't even get that right.

      I say we go into business selling square wheels and when clients find out that they don't work, we'll issue a "patch" to correct it: a triangular wheel.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    2. Re:All they had to do by amxcoder · · Score: 1

      Not to be critical, but you might want to release the triangle wheel first, that way the square wheel is an improvement over it (however still flawed), then after that a pentagon wheel, then a hexagon wheel... The users will feel the product is getting better and better with each release, even though the wheel still isn't round.

    3. Re:All they had to do by Sax+Russell+5449D29A · · Score: 1

      These companies should be boycotted.

      This *is* the general sentiment, but the fact is that there is only very few companies that can satisfy corporate needs in this area and all of these companies are ridden with identical problems. You'd essentially have to boycott them all.

      --
      -SR
    4. Re:All they had to do by JustAnotherOldGuy · · Score: 1

      Not to be critical, but you might want to release the triangle wheel first, that way the square wheel is an improvement over it (however still flawed), then after that a pentagon wheel, then a hexagon wheel...

      You're absolutely right. In addition to the PR campaign bragging about the innovation in providing the upgrade, it'll cost a little more for the hexagon wheel. After all, it's a hexagon and many people have no idea what that means, so naturally it would cost more.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    5. Re:All they had to do by Master5000 · · Score: 0

      But it's absurd. The quality of these products must be so low. I'm not saying it's not a hard problem, but dammit it's their job.

    6. Re:All they had to do by Zontar+The+Mindless · · Score: 1

      It seems to have worked with men's disposable razors. (As predicted by Mad Magazine back in the 1970s.)

      --
      Il n'y a pas de Planet B.
    7. Re:All they had to do by jezwel · · Score: 1

      Can you name one product manufacturer with this type of computer-related scale that does *not* have security vulnerabilities?
      CISCO is certainly not immune.

    8. Re:All they had to do by GNious · · Score: 1

      Forcibly rename the company, "I Can't Believe It's Not Security!" ?

  2. Flaw? by Anonymous Coward · · Score: 0

    Or NSA directive?

    *dun-dun-dunnnnnn*

    1. Re:Flaw? by TheRealHocusLocus · · Score: 1

      An NSA-inspired 'oopsie'.

      Infinite arrogance breeds infinite incompetence.
      The only thing worse than a committee is a committee that meets in secret.
      In unity there is stench.

      --
      <blink>down the rabbit hole</blink>
  3. Jupiner again? by manu0601 · · Score: 1

    Juniper already had a backdoor in VPN products.

    Does it means they had NSA-corrupted engineers, or that they have better processes than others to find this kind of stuff that would happen everywhere?

    1. Re:Jupiner again? by Anonymous Coward · · Score: 1

      That is the question, isn't it?

      We know that the NSA hunts SysAdmins in order to gain control over the systems and networks they manage. With that level of access inside Juniper, the NSA could easily have added these features themselves. In that case, kudos to Juniper for discovering the features and fixing them. Now they need to discover how they were added and what level of access the NSA has inside their systems.

      We also know that the NSA receives voluntary cooperation from numerous network providers. This could have allowed them access to Juniper credentials, or they might even have had the cooperation of Juniper management or turned Juniper admins.

      Or it may have been honest bugs.

      I imagine that with the "most transparent administration in history" we may never know, unless we get more whistleblowers and better whistleblower protections.

    2. Re:Jupiner again? by gweihir · · Score: 1

      I don't think the NSA is behind this. The NSA would have delivered backdoors that are very hard or impossible to find. These seem to be within reach of an ordinary in-detail security review of the system by anybody competent. A known backdoor is worthless.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:Jupiner again? by Anonymous Coward · · Score: 0

      A smart adversary puts in two backdoors. One is relatively easy to find, and looks like it could be an accident. The other one you're really going to have to dig for.

    4. Re:Jupiner again? by manu0601 · · Score: 1

      We know that the NSA hunts SysAdmins in order to gain control over the systems and networks they manage. With that level of access inside Juniper, the NSA could easily have added these features themselves.

      Hunting sysadmins is perfect to get access to data, but that is less effective to alter stuff. I am certain Juniper uses some version control tool. Modifying something leaves trails.

      I am more inclined to think about an NSA agent being hired by Juniper as developer (or a Juniper developer being hired by NSA) in order to add subtle security bug in a legitimate software change.

  4. When one door closes by Anonymous Coward · · Score: 0

    another door opens...

  5. Sounds HARMLESS by Anonymous Coward · · Score: 0

    Nothing to see or hear. Move along rubber neckers. Mind your own.

  6. Incompetence or malicious intent? by gweihir · · Score: 2

    My money is on incompetence, as this was obviously something people could find by just looking. IMO incompetence is worse because while intent can be fixed pretty fast if needed, incompetence cannot.

    It is also a pretty good indicator for the sad state of practical IT when a security element (!) does not even manage to get something as basic as certificate verification right.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Incompetence or malicious intent? by l0n3s0m3phr34k · · Score: 2

      Incompetence is also worse because there is an unknowable number of problems like this. At least with intent, someone somewhere has an exact list of what has been compromised. With incompetence, systems are compromised and no one knows until it's too late.

    2. Re: Incompetence or malicious intent? by Billly+Gates · · Score: 1

      What do you want to bet an outsourced or h1b1 employee with no experience implemented this as a cost saving measure.

      Talented security professionals are expensive

      --
      http://saveie6.com/
    3. Re:Incompetence or malicious intent? by Anonymous Coward · · Score: 0

      IMO incompetence is worse because while intent can be fixed pretty fast if needed, incompetence cannot.

      Bullshit. Incompetence is NOT worse. Malicious "intent" will simply find another way in.

  7. ScreenOS by Anonymous Coward · · Score: 0

    FTW :-)

  8. It was not a bug by Anonymous Coward · · Score: 0

    it was a back-door, and back-doors do not build and install themselves. Clever to accuse "adversaries" of using it, when obviously the NSA were the only ones who knew it was there and how to use it. Regular BS and propaganda out of the U.S. tech companies as usual.

  9. So does Windows 10. by Anonymous Coward · · Score: 0

    Spyware in the utmost sense.

    Why is this listed under BSD though? BSD doesn't allow anything forged it's good to go.