Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Juniper to Enhance RNG in ScreenOS

Following the discovery of unauthorized code, Juniper Networks announced on Friday that it will replace the random number generation (RNG) technology in its ScreenOS operating system with the one currently used in Junos OS products.

Following the discovery of unauthorized code, Juniper Networks announced on Friday that it will replace the random number generation (RNG) technology in its ScreenOS operating system with the one currently used in Junos OS products.

Juniper revealed in mid-December that it had identified unauthorized code in ScreenOS, the operating system used by the company’s NetScreen firewalls. The unauthorized code introduces a vulnerability that can be leveraged to remotely gain administrative access to affected devices via SSH or telnet, and a weakness that allows an attacker with access to VPN connections to decrypt VPN traffic.

The vulnerabilities have been patched by the company with the release of ScreenOS 6.2.0r19 and 6.3.0r21. However, researchers found that despite attempts by malicious actors to exploit the authentication bypass flaw, more than 1,500 devices had remained unpatched as of last week.

After examining the available evidence, external researchers determined that the VPN decryption vulnerability might be related to the use of the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) in ScreenOS.

Dual EC DRBG came in the spotlight in late 2013 when reports surfaced that the NSA created a backdoor and allegedly paid RSA $10 million to get the company to use it by default in one of its toolkits.

Juniper has argued that the Dual EC DRBG standard has not been used as the primary RNG, and the company says it hasn’t used the curve points recommended by NIST and instead uses self-generated basis points, which should provide sufficient crypto.

Advertisement. Scroll to continue reading.

Experts suggested that while Juniper changed the “locks” on the system, someone might have broken in and changed them again. Some also suggested that the use of Dual EC might have also made the patches released by the company ineffective.

In a statement published on Friday, Juniper Networks’ SVP chief information officer, Bob Worrall, denied reports that the use of Dual EC in ScreenOS prevents the recently discovered vulnerabilities from being fixed properly.

Juniper has conducted a thorough investigation of the source code for ScreenOS and Junos OS, the operating system that powers the company’s routing, switching and security devices. The investigation found no additional evidence of tampering and led to the conclusion that it would be much more difficult to plant unauthorized code in Junos.

The company has decided to replace Dual EC and ANSI X9.31 in ScreenOS 6.3 with the same RNG technology used in Junos OS products. The ScreenOS release that will include a more robust RNG subsystem will become available in the first half of 2015.

In the meantime, Juniper says it’s confident that the current version of ScreenOS has sufficient cryptology.

“We believe that the existing code using Dual_EC with self-generated basis points provides sufficient cryptology notwithstanding issues with the second ANSI X.9.31 random number generator,” Worrall said.

Some experts suspected that the NSA might have had something to do with the backdoors found in Juniper firewalls, especially since leaked documents showed that the agency targeted the security firm’s products in the past. However, the FBI has launched an investigation into the incident after U.S. officials raised concerns that the backdoors might have been planted by a foreign government. Juniper Networks says the investigation into the origin of the unauthorized code continues.

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Jazz has named Sean Robinson, Rickie Goyal, Danielle Guetta, Shani Nago, and Lior Magram as VPs and Michael Calev as COO.

AJ Shipley has been appointed Chief Product Officer at CrowdStrike.

Brinqa has named Ron Dovich as Chief AI and Automation Officer, David Allen as CTO, Steve Biagioni as CFO, and James Walta as VP of Product.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.