This weekend, Juniper Networks informed customers that the recent security threats to its ScreenOS weren’t as widespread as initially presumed.
The Network company, a couple weeks ago, issued an alert immediately after the discovery in ScreenOS of unauthorized code that might enable an attacker to get administrative control over devices using Netscreen (Administrative Access) or to decrypt a VPN.
Both issues are unrelated to each other, as per the company alert.
Juniper initially advised all clients that the Administrative Access code affected ScreenOS 6.30r12 through 6.30r20, and that the VPN Decryption code affected ScreenOS 6.20r15 through 6.20r18. It recommended users patch their systems.
“Once we identified these vulnerabilities, we launched an investigation into the matter and worked to develop and issue patched releases for the latest versions of ScreenOS,” noted Bob Worrall, senior VP and chief information officer.
That investigation guided Juniper to narrow a list of affected versions.”Administrative Access … only affects ScreenOS 6.3.0r17 through 6.3.0r20,” Worrall wrote in Sunday’s update. “VPN Decryption … only affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20.”
“We strongly recommend that all customers update their systems and apply these patched releases with the highest priority,” he added.
Juniper hadn’t received any signals of exploitation of the vulnerabilities or system weakness when it released its original alert a week ago, and as of Monday, it had nothing more to share about the security issues, spokesperson Danielle Hamel told the media.
NSA suspicions
As the vulnerabilities are similar to the disclosures whistleblower Ed Snowden made about NSA techniques to get unauthorized use of various networking systems, doubts have surfaced about whether or not the unauthorized code could possibly be connected to backdoor federal government surveillance.
“The NSA ANT catalogue has detailed capabilities on penetrating Juniper firewalls and they have spent considerable time and effort building customized capabilities for several enterprise firewall vendors,”explainedLogicNow Security Lead Ian Trump.
Juniper refused to respond to specific questions related to the timing of its discovery of the most recent vulnerabilities; however, the company vehemently waived working with government officials to setup code that could manipulate its own network systems.
“As we’ve stated previously, Juniper Networks [takes] allegations of this nature seriously,” said spokesperson Hamel. “To be clear, we do not work with governments or anyone else to purposefully introduce weaknesses or vulnerabilities into our products.”
The company “consistently operates with the highest of ethical standards” and is committed to “maintaining the integrity, security and assurance” of its products, she said.
Juniper earlier investigated reports released in Germany’s Der Spiegel, which recommended that the NSA might be working with “software implants” to take advantage of vulnerabilities in its BIOS.
“We don’t know whether the culprit in this instance is the NSA or some other state-based actor, but it is clear that the network equipment providers are targets — sometimes willingly, sometimes not,” said Eli Dourado, research fellow and director of the Technology Policy Program at George Mason University’s Mercatus Center.
Moving the code that runs the guts of the network system to an open-source model could stop this kind of intrusion, he explained — and in reality, he made that suggestion in a 2013 New York Times essay, following Snowden’s facts about NSA surveillance practices.
Be the first to comment on "Juniper shortens ScreenOS network threat list"