Security Experts:

US Government Agencies Asked About Juniper Backdoor Patching

The U.S. House Oversight and Government Reform Committee has sent out letters to dozens of government agencies asking them about the use and patching of vulnerable Juniper Networks products.

Letters were sent out last week to the Securities and Exchange Commission (SEC), the Secretary of Agriculture, GSA, the Secretary of Commerce, the Secretary of Labor, the Department of Energy, Veterans Affairs, the Environmental Protection Agency (EPA), the Treasury Secretary, the United States Agency for International Development (USAID), the Department of the Interior, the Department of Transportation, and the Department of Education.

The list of federal entities that received letters also includes the Secretary of State, the Consumer Financial Protection Bureau, the National Science Foundation (NSF), the Small Business Administration, the Social Security Administration (SSA), the Office of Personnel Management (OPM), Housing and Urban Development, the Department of Defense, the Department of Health and Human Services (HHS), the Nuclear Regulatory Commission, and NASA.

These government organizations have been asked to provide documents and information to show whether or not they have used affected Juniper products, how they discovered the vulnerability, and if they had taken any measures before deploying the patch provided by the vendor in December.

Juniper Networks’ solutions are used by many federal agencies and the Oversight Committee is trying to determine the extent of the recently disclosed vulnerabilities and their effects on the security posture of government organizations.

Juniper Networks revealed in mid-December that it had identified unauthorized code in its ScreenOS firewall operating system. The code introduced a couple of vulnerabilities that can be exploited to remotely gain administrative access to a device (CVE-2015-7755), and to decrypt VPN traffic (CVE-2015-7756).

The vendor released patches to address the security holes, but a researcher reported in early January that more than 1,500 devices had not been updated, including nearly 500 in the United States.

Since the VPN traffic decryption flaw is related to the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG), known to contain a backdoor introduced by the NSA, experts suggested the agency might be responsible for the unauthorized code in Juniper’s ScreenOS. However, some officials have raised concerns that the backdoor could be the work of a foreign government and the FBI has launched an investigation.

Related: Juniper to Enhance RNG in ScreenOS

Related: Fortinet Says Backdoor in FortiOS Not Malicious

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.