Connect with us

Hi, what are you looking for?


Network Security

Juniper to Enhance RNG in ScreenOS

Following the discovery of unauthorized code, Juniper Networks announced on Friday that it will replace the random number generation (RNG) technology in its ScreenOS operating system with the one currently used in Junos OS products.

Following the discovery of unauthorized code, Juniper Networks announced on Friday that it will replace the random number generation (RNG) technology in its ScreenOS operating system with the one currently used in Junos OS products.

Juniper revealed in mid-December that it had identified unauthorized code in ScreenOS, the operating system used by the company’s NetScreen firewalls. The unauthorized code introduces a vulnerability that can be leveraged to remotely gain administrative access to affected devices via SSH or telnet, and a weakness that allows an attacker with access to VPN connections to decrypt VPN traffic.

The vulnerabilities have been patched by the company with the release of ScreenOS 6.2.0r19 and 6.3.0r21. However, researchers found that despite attempts by malicious actors to exploit the authentication bypass flaw, more than 1,500 devices had remained unpatched as of last week.

After examining the available evidence, external researchers determined that the VPN decryption vulnerability might be related to the use of the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) in ScreenOS.

Dual EC DRBG came in the spotlight in late 2013 when reports surfaced that the NSA created a backdoor and allegedly paid RSA $10 million to get the company to use it by default in one of its toolkits.

Juniper has argued that the Dual EC DRBG standard has not been used as the primary RNG, and the company says it hasn’t used the curve points recommended by NIST and instead uses self-generated basis points, which should provide sufficient crypto.

Experts suggested that while Juniper changed the “locks” on the system, someone might have broken in and changed them again. Some also suggested that the use of Dual EC might have also made the patches released by the company ineffective.

Advertisement. Scroll to continue reading.

In a statement published on Friday, Juniper Networks’ SVP chief information officer, Bob Worrall, denied reports that the use of Dual EC in ScreenOS prevents the recently discovered vulnerabilities from being fixed properly.

Juniper has conducted a thorough investigation of the source code for ScreenOS and Junos OS, the operating system that powers the company’s routing, switching and security devices. The investigation found no additional evidence of tampering and led to the conclusion that it would be much more difficult to plant unauthorized code in Junos.

The company has decided to replace Dual EC and ANSI X9.31 in ScreenOS 6.3 with the same RNG technology used in Junos OS products. The ScreenOS release that will include a more robust RNG subsystem will become available in the first half of 2015.

In the meantime, Juniper says it’s confident that the current version of ScreenOS has sufficient cryptology.

“We believe that the existing code using Dual_EC with self-generated basis points provides sufficient cryptology notwithstanding issues with the second ANSI X.9.31 random number generator,” Worrall said.

Some experts suspected that the NSA might have had something to do with the backdoors found in Juniper firewalls, especially since leaked documents showed that the agency targeted the security firm’s products in the past. However, the FBI has launched an investigation into the incident after U.S. officials raised concerns that the backdoors might have been planted by a foreign government. Juniper Networks says the investigation into the origin of the unauthorized code continues.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...