Main Topic

Juniper: A practical lesson in backdoors

Green screen computer data

Our federal government recently got a lesson in backdoors. Hopefully, the lesson will not be lost on them.

Juniper makes network equipment: firewalls, routers, switches and the like. The company recently announced the discovery of a backdoor in ScreenOS, the operating system that runs their firewalls. Juniper firewalls are widely used in both the private and public sectors. Heck, even I used to have a good working knowledge of ScreenOS, from a couple of years spent administering Juniper (then Netscreen) devices.

What was the backdoor? It was an administrator password, hard-coded into ScreenOS, the firewall’s operating system. An individual who knew secret password, could log in to any (vulnerable) firewall as an administrator. The super-secret backdoor password was <<<%s(un='%s') = %u, which (as the Register points out) looks a lot like a printf formatting string. And it's been there for three years.

A number of federal government agencies use these firewalls, and they're kind of worried about the consequences. This is for good reason. Firewalls control network perimeters -- they determine what traffic is allowed in, and what traffic is allowed out. If you have administrative access to a perimeter firewall, then you get to decide who gets in, and what network resources their allowed to reach.

If you've got one of these firewalls, it's time to get patching.

At this point, we don't know who built the backdoor. According to Techdirt, US government officials believe it "to be the work of a foreign government", perhaps China or Russia. But China and Russia aren't the only possible players. The NSA developed JETPLOW, a "firmware persistence implant" for Cisco PIX and ASA firewalls. If the NSA was able to develop an exploit for Cisco equipment, it's not a far stretch to imagine them doing a similar thing to Juniper gear.

Israel helped the united states develop Stuxnet, a cyber-weapon that targeted Siemens SCADA software, running Iranian centrifuges. If a country has the resources to get malware into a uranium centrifuge, then they probably have the resources to get a backdoor into a commercial firewall.

The North Koreans, GCHQ likely have the facilities to pull something like this off, as do some of the more sophisticated cyber-crime groups out there. Again, we don't know who's responsible for building the backdoor; I'm just listing a couple of organizations that seem capable of pulling it off.

But wait, you say -- there's a difference between exploiting software and installing a backdoor. I agree: there's a difference, but it's largely a semantic one. Instead of (say) turning up the speed on a centrifuge, you're modifying a few lines of ScreenOS source code. It comes down to modifying a piece of software in a way that's advantageous to one party and detrimental to another.

But this is really a commentary about back doors, and why the notions of "good guys" and "bad guys" don't apply. For the sake of argument, let's suppose the ScreenOS backdoor was put in place by a nation state. By definition, some "bad guy" had a Juniper firewall, and some "good guy" created the back door so they could gain access to the bad guy's systems. Now, if we only knew who the good guys were.

This back door -- like many other back doors -- created a widely exploitable vulnerability. The bad guys aren't the only ones made vulnerable, and the good guys aren't the only ones able to take advantage of the exploit. That's not security by any stretch of the imagination.

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.