Slashdot Mirror
Juniper OS Flaw Allowed Forged Certificates (arstechnica.com)
Slashdot reader disccomp shares an article from Ars Technica:
In an advisory posted Wednesday, Juniper officials said they just fixed a bug in the company's Junos operating system that allowed adversaries to masquerade as trusted parties. The impersonation could be carried out by presenting a forged cryptographic certificate that was signed by the attacker rather than by a trusted certificate authority that normally vets the identity of the credential holder...
"It seems that Junos was accepting specially crafted, invalid certificates as trusted," said Stephen Checkoway, a computer scientist at the University of Illinois at Chicago who recently focused on security in Juniper products. "This would enable anyone to create a VPN connection and gain access to the private network, e.g., a private, corporate network."
"It seems that Junos was accepting specially crafted, invalid certificates as trusted," said Stephen Checkoway, a computer scientist at the University of Illinois at Chicago who recently focused on security in Juniper products. "This would enable anyone to create a VPN connection and gain access to the private network, e.g., a private, corporate network."
My money is on incompetence, as this was obviously something people could find by just looking. IMO incompetence is worse because while intent can be fixed pretty fast if needed, incompetence cannot.
It is also a pretty good indicator for the sad state of practical IT when a security element (!) does not even manage to get something as basic as certificate verification right.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.