Security Experts:

Backdoor in Juniper Firewalls Enables Remote Access

Networking and security company Juniper Networks revealed on Thursday that it has identified a couple of serious vulnerabilities that can be exploited to gain administrative access to some firewalls and decrypt VPN traffic.

According to Juniper CIO Bob Worrall, the company recently conducted an internal code review which led to the discovery of unauthorized code in ScreenOS, the operating system used by Juniper’s NetScreen firewalls.

The unauthorized code introduces a backdoor that can be leveraged to remotely gain administrative access to the device via telnet or SSH. The company has pointed out that such access would normally result in an entry in the log file, but a skilled attacker would likely remove these entries to cover their tracks.

A second, independent vulnerability found in ScreenOS can be exploited by an attacker with access to VPN connections to decrypt VPN traffic.

“At this time, we have not received any reports of these vulnerabilities being exploited; however, we strongly recommend that customers update their systems and apply the patched releases with the highest priority,” Worrall said.

The administrative access vulnerability (CVE-2015-7755) affects products running ScreenOS 6.3.0r17 through 6.3.0r20. The VPN decryption flaw (CVE-2015-7756) impacts ScreenOS versions 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20. The security holes have been patched with the release of ScreenOS 6.2.0r19 and 6.3.0r21. The fixes are also included in versions 6.3.0r12b, 6.3.0r13b, 6.3.0r14b, 6.3.0r15b, 6.3.0r16b, 6.3.0r17b, 6.3.0r18b and 6.3.0r19b.

Juniper says there is no evidence that SRX firewalls or other devices running the Junos operating system are impacted.

A Juniper Networks spokesperson told SecurityWeek that the patched releases also address an unrelated SSH bug in ScreenOS that could allow an attacker to conduct DoS attacks against ScreenOS devices. 

It’s worth noting that the earliest versions of ScreenOS containing the unauthorized code were released in 2012. Independent security researcher Adam Caudill and others have spotted a change in the code that could be responsible for enabling the decryption of VPN traffic.

Some speculate that the backdoor could be the work of the U.S. National Security Agency. In December 2013, German news magazine Der Spiegel reported obtaining a document describing tools used by the NSA to compromise routers, servers and firewalls from various vendors. The NSA document, known as the ANT catalog, also mentions Juniper’s NetScreen firewalls in a section describing an implant dubbed “FEEDTROUGH.”

Juniper Networks has refused to comment on the speculations that the backdoors were planted by the NSA.

*Updated with additional information from Juniper regarding the DoS vulnerability. Also updated to state that the company is not commenting on the speculations.

*UPDATE2. Juniper has updated its advisory to say that separate CVE identifiers have been assigned for each vulnerability. The list of affected ScreenOS versions has also been revised.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.