Connect with us

Hi, what are you looking for?



Backdoors Not Patched in Many Juniper Firewalls

The owners of more than 1,500 Juniper Networks firewalls still haven’t applied patches designed to address recently discovered backdoors, an Internet scan conducted by a researcher has shown.

The owners of more than 1,500 Juniper Networks firewalls still haven’t applied patches designed to address recently discovered backdoors, an Internet scan conducted by a researcher has shown.

Juniper Networks reported in mid-December that it had identified unauthorized code in ScreenOS, the operating system powering the company’s NetScreen firewalls.

The unauthorized code introduced two vulnerabilities: one that can be exploited to gain administrative access to affected devices (CVE-2015-7755), and one that can be leveraged to decrypt VPN connections (CVE-2015-7756).

The VPN decryption flaw affects ScreenOS versions 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20, while the authentication backdoor only impacts ScreenOS 6.3.0r17 through 6.3.0r20. The security holes have been patched with the release of ScreenOS 6.2.0r19 and 6.3.0r21.

Researchers said it took them only six hours to find the password for the authentication backdoor, namely “<<< %s(un=’%s’) = %u”. Honeypots deployed shortly after the news broke showed that attackers jumped to the opportunity and attempted to exploit the flaw.

Security consultant Julio Cesar Fort has recently conducted an Internet-wide scan to determine how many of the Juniper NetScreen devices open to the Web are still vulnerable.

Using the Censys search engine, the researcher identified more than 51,000 Internet-facing NetScreen devices. Scans conducted at the 32nd Chaos Communication Congress in Germany and in the following days, up until January 5, revealed a total of 1,595 potentially unpatched devices.

Juniper devices plagued by the backdoor can be accessed with any username and the “<<< %s(un=’%s’) = %u” password. In order to avoid counting honeypots mimicking vulnerable firewalls, the expert configured his scanner so that it attempted to connect with the username “honeytrap,” which is unlikely to be used by honeypots. A Kippo honeypot mod released on December 22 to allow researchers to mimic vulnerable devices was configured to accept only the username “system.”

Advertisement. Scroll to continue reading.

According to Fort, the largest number of vulnerable devices was identified in the United States (480), followed by China (134), Japan (112), Germany (107) and South Korea (100). The expert noted that a small number of backdoored firewalls were also found in Iran, Russia and Iraq.

Backdoored Juniper firewalls

“This only highlights the fact a large number of organisations have poor vulnerability management practices and overlooked all reports the security community and IT media outlets gave about this particular issue,” Fort said.

“It is safe to assume that numerous organizations will have their networks exposed for many more months to come and penetration testers are likely to find unpatched devices, especially in internal networks, for even longer periods of time,” the researcher noted.

Based on the available evidence, experts have speculated that the backdoors could be the work of the NSA. However, the FBI has launched an investigation into the incident after U.S. officials raised concerns about the possibility that the backdoors were planted by a foreign government.

After news broke about the Juniper firewall backdoors, Cisco also announced its intention to review its products for malicious changes.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights