Juniper Reveals 'Unauthorized Code' That Decrypts VPN Connections
from the let the speculation begin dept
Well, well, well. Yesterday morning, Juniper Networks announced that it had discovered some “unauthorized code” in its ScreenOS that would allow “knowledgeable” attackers to decrypt VPN traffic on Juniper’s NetScreen devices:
During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections. Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS.
At this time, we have not received any reports of these vulnerabilities being exploited; however, we strongly recommend that customers update their systems and apply the patched releases with the highest priority.
Not surprisingly, speculation is running rampant concerning how this happened. Since this isn’t just using some sort of zero day exploit, but rather “unauthorized code” — it’s pretty clear this isn’t just some random security folks having fun. The most obvious possibilities here are nation-state level actors — with a lot of finger pointing in the NSA’s general direction. I would imagine, whether or not it’s the NSA, there was a lot of freaking out at Ft. Meade yesterday as this came out. Either their own handiwork was exposed… or their own failure.
You may recall that, almost exactly two years ago the German newspaper Der Spiegel had a fairly revealing article about the NSA’s Tailored Access Operations (TAO) unit, that focused on figuring out how to get into basically any computer or network. The article also discussed another group, Advanced or Access Network Technology (ANT) which focused on creating exploits in equipment. In the accompanying article about the “catalog” that ANT produces for the NSA to “purchase” exploits, it discusses targeting Juniper equipment:
In the case of Juniper, the name of this particular digital lock pick is “FEEDTROUGH.” This malware burrows into Juniper firewalls and makes it possible to smuggle other NSA programs into mainframe computers. Thanks to FEEDTROUGH, these implants can, by design, even survive “across reboots and software upgrades.” In this way, US government spies can secure themselves a permanent presence in computer networks. The catalog states that FEEDTROUGH “has been deployed on many target platforms.”
Of course, if the code is already directly in the OS, that explains why the code can “survive ‘across reboots and software upgrades’.” In other words, while the original article suspected malware, perhaps the malware was already in the OS itself.
And, remember, this is the same government/NSA that now wants tech companies to share even more information with it via CISA…