Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

US Government Agencies Asked About Juniper Backdoor Patching

The U.S. House Oversight and Government Reform Committee has sent out letters to dozens of government agencies asking them about the use and patching of vulnerable Juniper Networks products.

The U.S. House Oversight and Government Reform Committee has sent out letters to dozens of government agencies asking them about the use and patching of vulnerable Juniper Networks products.

Letters were sent out last week to the Securities and Exchange Commission (SEC), the Secretary of Agriculture, GSA, the Secretary of Commerce, the Secretary of Labor, the Department of Energy, Veterans Affairs, the Environmental Protection Agency (EPA), the Treasury Secretary, the United States Agency for International Development (USAID), the Department of the Interior, the Department of Transportation, and the Department of Education.

The list of federal entities that received letters also includes the Secretary of State, the Consumer Financial Protection Bureau, the National Science Foundation (NSF), the Small Business Administration, the Social Security Administration (SSA), the Office of Personnel Management (OPM), Housing and Urban Development, the Department of Defense, the Department of Health and Human Services (HHS), the Nuclear Regulatory Commission, and NASA.

These government organizations have been asked to provide documents and information to show whether or not they have used affected Juniper products, how they discovered the vulnerability, and if they had taken any measures before deploying the patch provided by the vendor in December.

Juniper Networks’ solutions are used by many federal agencies and the Oversight Committee is trying to determine the extent of the recently disclosed vulnerabilities and their effects on the security posture of government organizations.

Juniper Networks revealed in mid-December that it had identified unauthorized code in its ScreenOS firewall operating system. The code introduced a couple of vulnerabilities that can be exploited to remotely gain administrative access to a device (CVE-2015-7755), and to decrypt VPN traffic (CVE-2015-7756).

Advertisement. Scroll to continue reading.

The vendor released patches to address the security holes, but a researcher reported in early January that more than 1,500 devices had not been updated, including nearly 500 in the United States.

Since the VPN traffic decryption flaw is related to the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG), known to contain a backdoor introduced by the NSA, experts suggested the agency might be responsible for the unauthorized code in Juniper’s ScreenOS. However, some officials have raised concerns that the backdoor could be the work of a foreign government and the FBI has launched an investigation.

Related: Juniper to Enhance RNG in ScreenOS

Related: Fortinet Says Backdoor in FortiOS Not Malicious

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Jazz has named Sean Robinson, Rickie Goyal, Danielle Guetta, Shani Nago, and Lior Magram as VPs and Michael Calev as COO.

AJ Shipley has been appointed Chief Product Officer at CrowdStrike.

Brinqa has named Ron Dovich as Chief AI and Automation Officer, David Allen as CTO, Steve Biagioni as CFO, and James Walta as VP of Product.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.