Connect with us

Hi, what are you looking for?



Backdoors Not Patched in Many Juniper Firewalls

The owners of more than 1,500 Juniper Networks firewalls still haven’t applied patches designed to address recently discovered backdoors, an Internet scan conducted by a researcher has shown.

The owners of more than 1,500 Juniper Networks firewalls still haven’t applied patches designed to address recently discovered backdoors, an Internet scan conducted by a researcher has shown.

Juniper Networks reported in mid-December that it had identified unauthorized code in ScreenOS, the operating system powering the company’s NetScreen firewalls.

The unauthorized code introduced two vulnerabilities: one that can be exploited to gain administrative access to affected devices (CVE-2015-7755), and one that can be leveraged to decrypt VPN connections (CVE-2015-7756).

The VPN decryption flaw affects ScreenOS versions 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20, while the authentication backdoor only impacts ScreenOS 6.3.0r17 through 6.3.0r20. The security holes have been patched with the release of ScreenOS 6.2.0r19 and 6.3.0r21.

Researchers said it took them only six hours to find the password for the authentication backdoor, namely “<<< %s(un=’%s’) = %u”. Honeypots deployed shortly after the news broke showed that attackers jumped to the opportunity and attempted to exploit the flaw.

Security consultant Julio Cesar Fort has recently conducted an Internet-wide scan to determine how many of the Juniper NetScreen devices open to the Web are still vulnerable.

Using the Censys search engine, the researcher identified more than 51,000 Internet-facing NetScreen devices. Scans conducted at the 32nd Chaos Communication Congress in Germany and in the following days, up until January 5, revealed a total of 1,595 potentially unpatched devices.

Advertisement. Scroll to continue reading.

Juniper devices plagued by the backdoor can be accessed with any username and the “<<< %s(un=’%s’) = %u” password. In order to avoid counting honeypots mimicking vulnerable firewalls, the expert configured his scanner so that it attempted to connect with the username “honeytrap,” which is unlikely to be used by honeypots. A Kippo honeypot mod released on December 22 to allow researchers to mimic vulnerable devices was configured to accept only the username “system.”

According to Fort, the largest number of vulnerable devices was identified in the United States (480), followed by China (134), Japan (112), Germany (107) and South Korea (100). The expert noted that a small number of backdoored firewalls were also found in Iran, Russia and Iraq.

Backdoored Juniper firewalls

“This only highlights the fact a large number of organisations have poor vulnerability management practices and overlooked all reports the security community and IT media outlets gave about this particular issue,” Fort said.

“It is safe to assume that numerous organizations will have their networks exposed for many more months to come and penetration testers are likely to find unpatched devices, especially in internal networks, for even longer periods of time,” the researcher noted.

Based on the available evidence, experts have speculated that the backdoors could be the work of the NSA. However, the FBI has launched an investigation into the incident after U.S. officials raised concerns about the possibility that the backdoors were planted by a foreign government.

After news broke about the Juniper firewall backdoors, Cisco also announced its intention to review its products for malicious changes.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.