Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

US Government Agencies Asked About Juniper Backdoor Patching

The U.S. House Oversight and Government Reform Committee has sent out letters to dozens of government agencies asking them about the use and patching of vulnerable Juniper Networks products.

The U.S. House Oversight and Government Reform Committee has sent out letters to dozens of government agencies asking them about the use and patching of vulnerable Juniper Networks products.

Letters were sent out last week to the Securities and Exchange Commission (SEC), the Secretary of Agriculture, GSA, the Secretary of Commerce, the Secretary of Labor, the Department of Energy, Veterans Affairs, the Environmental Protection Agency (EPA), the Treasury Secretary, the United States Agency for International Development (USAID), the Department of the Interior, the Department of Transportation, and the Department of Education.

The list of federal entities that received letters also includes the Secretary of State, the Consumer Financial Protection Bureau, the National Science Foundation (NSF), the Small Business Administration, the Social Security Administration (SSA), the Office of Personnel Management (OPM), Housing and Urban Development, the Department of Defense, the Department of Health and Human Services (HHS), the Nuclear Regulatory Commission, and NASA.

These government organizations have been asked to provide documents and information to show whether or not they have used affected Juniper products, how they discovered the vulnerability, and if they had taken any measures before deploying the patch provided by the vendor in December.

Juniper Networks’ solutions are used by many federal agencies and the Oversight Committee is trying to determine the extent of the recently disclosed vulnerabilities and their effects on the security posture of government organizations.

Juniper Networks revealed in mid-December that it had identified unauthorized code in its ScreenOS firewall operating system. The code introduced a couple of vulnerabilities that can be exploited to remotely gain administrative access to a device (CVE-2015-7755), and to decrypt VPN traffic (CVE-2015-7756).

The vendor released patches to address the security holes, but a researcher reported in early January that more than 1,500 devices had not been updated, including nearly 500 in the United States.

Since the VPN traffic decryption flaw is related to the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG), known to contain a backdoor introduced by the NSA, experts suggested the agency might be responsible for the unauthorized code in Juniper’s ScreenOS. However, some officials have raised concerns that the backdoor could be the work of a foreign government and the FBI has launched an investigation.

Related: Juniper to Enhance RNG in ScreenOS

Related: Fortinet Says Backdoor in FortiOS Not Malicious

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).