The owners of more than 1,500 Juniper Networks firewalls still haven’t applied patches designed to address recently discovered backdoors, an Internet scan conducted by a researcher has shown.
Juniper Networks reported in mid-December that it had identified unauthorized code in ScreenOS, the operating system powering the company’s NetScreen firewalls.
The unauthorized code introduced two vulnerabilities: one that can be exploited to gain administrative access to affected devices (CVE-2015-7755), and one that can be leveraged to decrypt VPN connections (CVE-2015-7756).
The VPN decryption flaw affects ScreenOS versions 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20, while the authentication backdoor only impacts ScreenOS 6.3.0r17 through 6.3.0r20. The security holes have been patched with the release of ScreenOS 6.2.0r19 and 6.3.0r21.
Researchers said it took them only six hours to find the password for the authentication backdoor, namely “<<< %s(un=’%s’) = %u”. Honeypots deployed shortly after the news broke showed that attackers jumped to the opportunity and attempted to exploit the flaw.
Security consultant Julio Cesar Fort has recently conducted an Internet-wide scan to determine how many of the Juniper NetScreen devices open to the Web are still vulnerable.
Using the Censys search engine, the researcher identified more than 51,000 Internet-facing NetScreen devices. Scans conducted at the 32nd Chaos Communication Congress in Germany and in the following days, up until January 5, revealed a total of 1,595 potentially unpatched devices.
Juniper devices plagued by the backdoor can be accessed with any username and the “<<< %s(un=’%s’) = %u” password. In order to avoid counting honeypots mimicking vulnerable firewalls, the expert configured his scanner so that it attempted to connect with the username “honeytrap,” which is unlikely to be used by honeypots. A Kippo honeypot mod released on December 22 to allow researchers to mimic vulnerable devices was configured to accept only the username “system.”
According to Fort, the largest number of vulnerable devices was identified in the United States (480), followed by China (134), Japan (112), Germany (107) and South Korea (100). The expert noted that a small number of backdoored firewalls were also found in Iran, Russia and Iraq.
“This only highlights the fact a large number of organisations have poor vulnerability management practices and overlooked all reports the security community and IT media outlets gave about this particular issue,” Fort said.
“It is safe to assume that numerous organizations will have their networks exposed for many more months to come and penetration testers are likely to find unpatched devices, especially in internal networks, for even longer periods of time,” the researcher noted.
Based on the available evidence, experts have speculated that the backdoors could be the work of the NSA. However, the FBI has launched an investigation into the incident after U.S. officials raised concerns about the possibility that the backdoors were planted by a foreign government.
After news broke about the Juniper firewall backdoors, Cisco also announced its intention to review its products for malicious changes.