Juniper Reveals 'Unauthorized Code' That Decrypts VPN Connections

from the let the speculation begin dept

Well, well, well. Yesterday morning, Juniper Networks announced that it had discovered some “unauthorized code” in its ScreenOS that would allow “knowledgeable” attackers to decrypt VPN traffic on Juniper’s NetScreen devices:

During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections. Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS.

At this time, we have not received any reports of these vulnerabilities being exploited; however, we strongly recommend that customers update their systems and apply the patched releases with the highest priority.

Not surprisingly, speculation is running rampant concerning how this happened. Since this isn’t just using some sort of zero day exploit, but rather “unauthorized code” — it’s pretty clear this isn’t just some random security folks having fun. The most obvious possibilities here are nation-state level actors — with a lot of finger pointing in the NSA’s general direction. I would imagine, whether or not it’s the NSA, there was a lot of freaking out at Ft. Meade yesterday as this came out. Either their own handiwork was exposed… or their own failure.

You may recall that, almost exactly two years ago the German newspaper Der Spiegel had a fairly revealing article about the NSA’s Tailored Access Operations (TAO) unit, that focused on figuring out how to get into basically any computer or network. The article also discussed another group, Advanced or Access Network Technology (ANT) which focused on creating exploits in equipment. In the accompanying article about the “catalog” that ANT produces for the NSA to “purchase” exploits, it discusses targeting Juniper equipment:

In the case of Juniper, the name of this particular digital lock pick is “FEEDTROUGH.” This malware burrows into Juniper firewalls and makes it possible to smuggle other NSA programs into mainframe computers. Thanks to FEEDTROUGH, these implants can, by design, even survive “across reboots and software upgrades.” In this way, US government spies can secure themselves a permanent presence in computer networks. The catalog states that FEEDTROUGH “has been deployed on many target platforms.”

Of course, if the code is already directly in the OS, that explains why the code can “survive ‘across reboots and software upgrades’.” In other words, while the original article suspected malware, perhaps the malware was already in the OS itself.

And, remember, this is the same government/NSA that now wants tech companies to share even more information with it via CISA…

Filed Under: , , , , , , , ,
Companies: juniper, juniper networks

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Juniper Reveals 'Unauthorized Code' That Decrypts VPN Connections”

Subscribe: RSS Leave a comment
That One Guysays:

'Better to ask forgiveness than permission'

And, remember, this is the same government/NSA that now wants tech companies to share even more information with it via CISA…

Assuming it was the NSA responsible, I can’t see how you could fault them for trying to be helpful. I mean really, both they and various companies know that the NSA would really like approximately all the data they can get their hands on, they were just being courteous and polite, saving Juniper time and effort by getting it themselves, rather than bothering Juniper by asking them for the data.

Ehud Gavronsays:

source code revision control system

Juniper has an awesome RCS. It’s interesting they “revealed” this back door but did not “reveal” anything about who or how or when it was put in.

I’m also wondering if they have a recourse. If this was done by a private individual it would constitute a blatant violation of the CFAA, property damage, and reputational damage.



Re: source code revision control system

Juniper has an awesome RCS. It’s interesting they “revealed” this back door but did not “reveal” anything about who or how or when it was put in.

Most systems don’t have the cryptographic guarantees of git. If I wanted to hide something like this, I’d insert it as a change in the distant past?ideally something like “initial import from CVS” not associated with any actual person (rewriting all subsequent versions too, of course). Don’t go through the public APIs when you can just hack the RCS server directly.

I’m also wondering if they have a recourse. If this was done by a private individual[…]

It could be hard to prove anything if it’s disguised as a bug. See the Underhanded C Contest. And even if a person did check it in, maybe the NSA edited the code sitting on the developer’s system so they’d check in the wrong thing. After all, they’ve been known to hack sysadmin computers, and a hacked admin account could remotely edit your laptop’s hard drive. If I were caught inserting a backdoor I’d be claiming something like that.


Back in the late 90s, I was working for a company that made network switches. I was a software engineer and only once visited a customer site to debug a difficult problem. The VP of engineering came with me and we brought a couple of spare switches to help in debugging. The site was Livermore National Laboratories, in particular, the group that oversaw the National Ignition Facility (you know, the big building filled with massive lasers that was supposed to be used for controlled fusion but ended up just as a way of testing nuclear weapon design). During our visit, with their head IT guy present, we found that the password had been set for one of our spare switches and no one there knew it. The other engineer who came with us mentioned there was a backdoor, a hard-coded password, to gain administrative control. I was unaware of that despite knowing most of the code. Both that engineer and the VP seemed not to be fazed by the existence of a backdoor. I desperately tried to change the subject while entering the hard-coded password. When we got back I immediately changed the code to eliminate the backdoor. My point is that the backdoor was introduced just as a convenience for the development engineers who weren’t terribly concerned about security repercussions. I am not dismissing the possibility that Juniper’s backdoor was introduced for nefarious reasons. If the code is designed to allow access to VPN keys once you have administrative access, it is conceivable that this backdoor was an ill-advised convenience rather than intentionally set for allowing surreptitious surveillance.

Median Wilfredsays:

But it was "unathorized code"

Quite a few similar stories exist. See: for a more blatant example, but the “WIZARD” mode of the old sendmail SMTP program is about the same.

I wanted to parse the Juniper “unauthorized code” tag to say that what you’re advocating isn’t what Juniper meant, but after thinking about it, I now believe that “unauthorized code” could mean exactly what you mention.

After that, it occurred to me that even if the “unauthorized code” was a spy agency hack, then deep cover spy agency sock puppets would be writing exactly what you wrote to muddle the issue. Some fraction of tech journalists
are going to rationalize this away, using your writing and similar historical bugs/backdoors as above. NSA/FBI/CIA shills like Stewart Baker, Richard Burr and John Schindler will probably use exactly the same rationale in their parts of the he said/she said “journalism” that will come out in the next few days.



Good point. The enduser of hardware such as you describe have no idea what is in the box. I worked in process control, living in machine code heaven. Back in late 70’s thru 90’s debugging embedded OS (mostly ROM) was hell. I bet this “backdoor” was requested by hardware designers as a tool. Oops, forgot to tell the make to kill it for production.



First I wasn't

First they came for the Communists, but I wasn’t a Commy and did nothing.
Then they came for the Terrorists, but I wasn’t one of those either and kept to myself.
After that they went after the drug dealers, child abusers and hardened criminals, but again I didn’t belong to those groups and allowed it to happen.
Next they went after everyone who was on the secret lists for secret reasons and I did nothing because I had no standing or support to undo decades of erosion of rights.
The land of the free and home of the brave is now less free then at any time in history because we have traded our freedom for the illusion of safety. The terrorists aren’t foreigners trying to make us afraid of leaving our homes, it is the government trying to justify their actions and hating truth and openness more and more every day.
By their fruits, you will know them.

Median Wilfredsays:

Re: Re: First I wasn't

Yes! What would you do? Cut a great road through the law to get after the Terrorists and Drug Dealers and Child Abusers? And when the last law was down, and the Terrorists turned ’round on you, where would you hide, the laws all being flat? This country is planted thick with laws, from coast to coast, Man’s laws, not God’s! And if you cut them down do you really think you could stand upright in the winds that would blow then? Yes, I’d give Terrorists, Drug Dealers and Child abusers benefit of law, for my own safety’s sake!

Take that, Senators Graham and Burr.


“And a device that may need to be reset needs to be a hard button reset at the device, not remotely.”

I’m not being facetious, but I would bet money some sites have robots or control gear to do resets. Which just moves the problem to one of backdooring the robot. Sometimes something has to be done now instead of waiting for an engineer or authorized person () to reach a (potentially remote) site.

() = who is sure that the employee or authorized person isn’t the backdoor?

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Older Stuff
13:40 It's Great That Winnie The Pooh Is In The Public Domain; But He Should Have Been Free In 1982 (Or Earlier) (35)
12:06 Norton 360 Now Comes With Crypto Mining Capabilities And Sketchy Removal Process (28)
10:45 Chinese Government Dragnet Now Folding In American Social Media Platforms To Silence Dissent (14)
10:40 Daily Deal: The 2022 Ultimate Cybersecurity Analyst Preparation Bundle (0)
09:29 A Fight Between Facebook And The British Medical Journal Highlights The Difficulty Of Moderating 'Medical Misinformation' (9)
06:29 Court Ruling Paves The Way For Better, More Reliable Wi-Fi (4)
20:12 Eighth Circuit (Again) Says There's Nothing Wrong With Detaining Innocent Minors At Gunpoint (15)
15:48 China's Regulatory War On Its Gaming Industry Racks Up 14k Casualties (10)
13:31 Chinese Government Fines Local Car Dealerships For Surveilling While Not Being The Government (5)
12:08 Eric Clapton Pretends To Regret The Decision To Sue Random German Woman Who Listed A Bootleg Of One Of His CDs On Ebay (29)
10:44 ICE Is So Toxic That The DHS's Investigative Wing Is Asking To Be Completely Separated From It (29)
10:39 Daily Deal: The 2022 Complete Raspberry Pi And Arduino Developer Bundle (0)
09:31 Google Blocked An Article About Police From The Intercept... Because The Title Included A Phrase That Was Also A Movie Title (24)
06:22 Wireless Carriers Balk At FAA Demand For 5G Deployment Delays Amid Shaky Safety Concerns (16)
19:53 Tenth Circuit Denies Qualified Immunity To Social Worker Who Fabricated A Mother's Confession Of Child Abuse (35)
15:39 Sci-Hub's Creator Thinks Academic Publishers, Not Her Site, Are The Real Threat To Science, And Says: 'Any Law Against Knowledge Is Fundamentally Unjust' (34)
13:32 Federal Court Tells Proud Boys Defendants That Raiding The Capitol Building Isn't Covered By The First Amendment (25)
12:14 US Courts Realizing They Have A Judge Alan Albright Sized Problem In Waco (17)
10:44 Boston Police Department Used Forfeiture Funds To Hide Purchase Of Surveillance Tech From City Reps (16)
10:39 Daily Deal: The Ultimate Microsoft Excel Training Bundle (0)
09:20 NY Senator Proposes Ridiculously Unconstitutional Social Media Law That Is The Mirror Opposite Of Equally Unconstitutional Laws In Florida & Texas (25)
06:12 Telecom Monopolies Are Exploiting Crappy U.S. Broadband Maps To Block Community Broadband Grant Requests (7)
12:00 Funniest/Most Insightful Comments Of 2021 At Techdirt (17)
10:00 Gaming Like It's 1926: Join The Fourth Annual Public Domain Game Jam (6)
09:00 New Year's Message: The Arc Of The Moral Universe Is A Twisty Path (33)
19:39 DHS, ICE Begin Body Camera Pilot Program With Surprisingly Good Policies In Place (7)
15:29 Remembering Techdirt Contributors Sherwin And Elliot (1)
13:32 DC Metro PD's Powerful Review Panel Keeps Giving Bad Cops Their Jobs Back (6)
12:11 Missouri Governor Still Expects Journalists To Be Prosecuted For Showing How His Admin Leaked Teacher Social Security Numbers (39)
10:48 Oversight Board Overturning Instagram Takedown Of Ayahuasca Post Demonstrates The Impossibility Of Content Moderation (10)
More arrow
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it