Security Experts:

Connect with us

Hi, what are you looking for?



Backdoors Not Patched in Many Juniper Firewalls

The owners of more than 1,500 Juniper Networks firewalls still haven’t applied patches designed to address recently discovered backdoors, an Internet scan conducted by a researcher has shown.

The owners of more than 1,500 Juniper Networks firewalls still haven’t applied patches designed to address recently discovered backdoors, an Internet scan conducted by a researcher has shown.

Juniper Networks reported in mid-December that it had identified unauthorized code in ScreenOS, the operating system powering the company’s NetScreen firewalls.

The unauthorized code introduced two vulnerabilities: one that can be exploited to gain administrative access to affected devices (CVE-2015-7755), and one that can be leveraged to decrypt VPN connections (CVE-2015-7756).

The VPN decryption flaw affects ScreenOS versions 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20, while the authentication backdoor only impacts ScreenOS 6.3.0r17 through 6.3.0r20. The security holes have been patched with the release of ScreenOS 6.2.0r19 and 6.3.0r21.

Researchers said it took them only six hours to find the password for the authentication backdoor, namely “<<< %s(un=’%s’) = %u”. Honeypots deployed shortly after the news broke showed that attackers jumped to the opportunity and attempted to exploit the flaw.

Security consultant Julio Cesar Fort has recently conducted an Internet-wide scan to determine how many of the Juniper NetScreen devices open to the Web are still vulnerable.

Using the Censys search engine, the researcher identified more than 51,000 Internet-facing NetScreen devices. Scans conducted at the 32nd Chaos Communication Congress in Germany and in the following days, up until January 5, revealed a total of 1,595 potentially unpatched devices.

Juniper devices plagued by the backdoor can be accessed with any username and the “<<< %s(un=’%s’) = %u” password. In order to avoid counting honeypots mimicking vulnerable firewalls, the expert configured his scanner so that it attempted to connect with the username “honeytrap,” which is unlikely to be used by honeypots. A Kippo honeypot mod released on December 22 to allow researchers to mimic vulnerable devices was configured to accept only the username “system.”

According to Fort, the largest number of vulnerable devices was identified in the United States (480), followed by China (134), Japan (112), Germany (107) and South Korea (100). The expert noted that a small number of backdoored firewalls were also found in Iran, Russia and Iraq.

Backdoored Juniper firewalls

“This only highlights the fact a large number of organisations have poor vulnerability management practices and overlooked all reports the security community and IT media outlets gave about this particular issue,” Fort said.

“It is safe to assume that numerous organizations will have their networks exposed for many more months to come and penetration testers are likely to find unpatched devices, especially in internal networks, for even longer periods of time,” the researcher noted.

Based on the available evidence, experts have speculated that the backdoors could be the work of the NSA. However, the FBI has launched an investigation into the incident after U.S. officials raised concerns about the possibility that the backdoors were planted by a foreign government.

After news broke about the Juniper firewall backdoors, Cisco also announced its intention to review its products for malicious changes.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.