Bad actors race to exploit Juniper firewall vulnerability

Efforts afoot to reverse engineer the flaw and create commodity exploits

juniper netscreen 5200 2

Now that Juniper has created a patch for its vulnerable firewall/VPN appliances, bad actors are setting to work reverse engineering the flaw so they can exploit devices that users don’t patch, and also make a profit by selling their exploits to others.

UPDATE: Wired reports a Dutch security firm claims it found the backdoor to ScreenOS within six hours of receiving the patch. Also, Reuters reports the Department of Homeland Security is investigating and CNN says the FBI is investigating as well.

“That’s what they do,” says John Pironti, president of IP Architects, who says he spent Friday responding to concerns about the compromised Juniper firewalls with his clients.

The pattern cyber criminals follow after vendors patch vulnerabilities is to compare the patched code to the unpatched code, figure out what the flawed code was and figure out how to use it to break into the device and the network it protects, Pironti says.

In this case Juniper says the flaw can be exploited to completely compromise a NetScreen firewall/VPN appliance via unauthorized remote administrator access via telnet or SSH, wipe out logs that would reveal the attack, and decrypt VPN traffic.

Once the reverse engineers do that, they’ll start trying out the exploit on whatever NetScreen devices they can locate in real-world networks hoping to find ones that aren’t patched, Pironti says. After that the exploits will go up for sale in underground markets and wend their way into open source penetration-testing platforms such as metasploit.

Inevitably some users fail to apply critical patches for years and years after they have been issued, he says. “It will be used for years,” he says. “This will not go away overnight.”

Since attackers can erase any trace they exploited a NetScreen appliance, IT security teams should start checking logs in the devices in line behind the firewall/VPNs. They should look for consistent and persistent traffic originating from unfamiliar and atypical IP address ranges that could represent the attackers moving inside the network once they’ve cracked the appliance, Pironti says. “See if they tried to get elsewhere,” he says.

Meanwhile, as of Friday, Juniper had yet to answer some key questions about the bad code.

In response to emails seeking more information, Juniper reiterated part of its initial announcement about the patches and provided a link to its formal advisory, but that’s it.

Some of the questions left unanswered:

  • How long has the bad code been in ScreenOS?
  • How did it get there?
  • How many units did it affect?
  • Does the problem affect every VPN tunnel or just certain tunnel types and encryption types?
  • Does Juniper recommend that customers do any sort of security audit to figure out if they have been compromised through use of this vulnerability?
  • Is there any way to find out if the vulnerability has been exploited in a particular device?

“I think that Juniper does owe us more information,” says Joel Snyder, senior partner in Opus One, a technology consultancy that has tested network firewalls for Network World. “In any case, I think that Juniper should be forthcoming with more information to let us know if they think that this was put in accidentally, on purpose, and by whom.”

It’s possible the bug was put there by a nation-state, he says, but “I would guess that it is just as likely that this is a human error and someone put something in ignorantly or for debugging that they forgot to take out.”

“People have been quick to say that this is linked to the NSA/InfoSec community in the [U.S. government], but I seriously doubt that.  ...  This was something IN the code, and it was introduced in the last few years after the product was REALLY mature.”

But the wording of the Juniper announcement – it pins the problem on “unauthorized code” – makes Pironti think it was an implant, software placed in the operating system intentionally to facilitate attacks. “Unauthorized code, to me, means an implant. It’s not like someone fat-fingered an entry.”

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2015 IDG Communications, Inc.