Security Experts:

Connect with us

Hi, what are you looking for?



Backdoors Not Patched in Many Juniper Firewalls

The owners of more than 1,500 Juniper Networks firewalls still haven’t applied patches designed to address recently discovered backdoors, an Internet scan conducted by a researcher has shown.

The owners of more than 1,500 Juniper Networks firewalls still haven’t applied patches designed to address recently discovered backdoors, an Internet scan conducted by a researcher has shown.

Juniper Networks reported in mid-December that it had identified unauthorized code in ScreenOS, the operating system powering the company’s NetScreen firewalls.

The unauthorized code introduced two vulnerabilities: one that can be exploited to gain administrative access to affected devices (CVE-2015-7755), and one that can be leveraged to decrypt VPN connections (CVE-2015-7756).

The VPN decryption flaw affects ScreenOS versions 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20, while the authentication backdoor only impacts ScreenOS 6.3.0r17 through 6.3.0r20. The security holes have been patched with the release of ScreenOS 6.2.0r19 and 6.3.0r21.

Researchers said it took them only six hours to find the password for the authentication backdoor, namely “<<< %s(un=’%s’) = %u”. Honeypots deployed shortly after the news broke showed that attackers jumped to the opportunity and attempted to exploit the flaw.

Security consultant Julio Cesar Fort has recently conducted an Internet-wide scan to determine how many of the Juniper NetScreen devices open to the Web are still vulnerable.

Using the Censys search engine, the researcher identified more than 51,000 Internet-facing NetScreen devices. Scans conducted at the 32nd Chaos Communication Congress in Germany and in the following days, up until January 5, revealed a total of 1,595 potentially unpatched devices.

Juniper devices plagued by the backdoor can be accessed with any username and the “<<< %s(un=’%s’) = %u” password. In order to avoid counting honeypots mimicking vulnerable firewalls, the expert configured his scanner so that it attempted to connect with the username “honeytrap,” which is unlikely to be used by honeypots. A Kippo honeypot mod released on December 22 to allow researchers to mimic vulnerable devices was configured to accept only the username “system.”

According to Fort, the largest number of vulnerable devices was identified in the United States (480), followed by China (134), Japan (112), Germany (107) and South Korea (100). The expert noted that a small number of backdoored firewalls were also found in Iran, Russia and Iraq.

Backdoored Juniper firewalls

“This only highlights the fact a large number of organisations have poor vulnerability management practices and overlooked all reports the security community and IT media outlets gave about this particular issue,” Fort said.

“It is safe to assume that numerous organizations will have their networks exposed for many more months to come and penetration testers are likely to find unpatched devices, especially in internal networks, for even longer periods of time,” the researcher noted.

Based on the available evidence, experts have speculated that the backdoors could be the work of the NSA. However, the FBI has launched an investigation into the incident after U.S. officials raised concerns about the possibility that the backdoors were planted by a foreign government.

After news broke about the Juniper firewall backdoors, Cisco also announced its intention to review its products for malicious changes.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.