Researchers from
two security firms have uncovered the password guarding one of the backdoors discovered in Juniper Networks’ ScreenOS, the
operating system behind its NetScreen enterprise-grade firewalls.
Fox-IT and Rapid7
found the secret code, which was disguised to look like debug code, said Rapid7 chief
research officer HD Moore.
“This password allows an attacker to
bypass authentication through SSH and Telnet, as long as they know a valid
username,” Moore said. “If you want to test this issue by hand, telnet or ssh
to a Netscreen device, specify a valid username, and the backdoor password. If
the device is vulnerable, you should receive an interactive shell with the
highest privileges.”
Fox-IT was the first to find the
password—needing six hours, it said, to do so—thought it did not publish it.
Juniper released an emergency patch
last Thursday closing the holes introduced by the two backdoors, one of which
allows for passive decryption of VPN traffic moving through Juniper’s
appliances, and the other allows for remote administrative access over SSH or
Telnet.
Juniper senior vice president and
chief information security officer Bob Worrall said the two vulnerabilities
were discovered during a recent internal code review and affect ScreenOS
6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20. The earliest affected
version was released Sept. 12, 2012.
Moore, however, said that the
authentication backdoor is not present in older versions of ScreenOS, adding
that it’s likely the 6.2.0 series is not affected, but was vulnerable to the
VPN vulnerability.
“We were also unable to identify the
authentication backdoor in versions 6.3.0r12 or 6.3.0r14. We could confirm that
versions 6.3.0r17 and 6.3.0r19 were affected, but were not able to track down
6.3.0r15 or 6.3.0r16,” Moore said. “This is interesting because although the
first affected version was released in 2012, the authentication backdoor did
not seem to get added until a release in late 2013 (either 6.3.0r15, 6.3.0r16,
or 6.3.0r17).”
Juniper has made new versions of the affected firmware available,
sans backdoors, and admins are urged to patch immediately.
Heightening the concern was the
revelation that Juniper’s affected NetScreen appliances utilize the maligned
Dual_EC_DRBG random number generator that has long been considered backdoored
and was front-and-center of allegations that the NSA was involved in
compromising the algorithm. In December 2013, Reuters alleged in a report that
RSA Security was paid $10 million in a secret contract with the NSA to use
Dual_EC which the spy agency could easily crack.
Cryptographer Adam Langley on Saturday published a report on his
personal site that summarizes much of the chatter around the backdoors and the
discovery of Dual_EC. Specifically, Langley surmises that the presence of the
Dual_EC could explain how passive decryption of VPN traffic is possible.
Dual_EC is regarded
as a poor choice for a RNG, given that it’s performance is sluggish, and the
output is predictable given enough resources and knowledge about how it works.
Juniper’s Dual_EC implementation, however, does not use pre-defined
NSA-introduced points, suggesting, as Langley wrote: “[Juniper] used a
backdoored RNG but changed the locks. Then this attack might be explained by saying that someone broke in
and changed the locks again.”
In other words, it could be that
someone else used the NSA’s backdoor in Dual_EC to attack Juniper.
Langley wrote:
“We’re not sure that’s actually
what happened, but it seems like a reasonable hypothesis at
this point. If it’s correct, this is fairly bananas. Dual-EC is not a
reasonable RNG…Huge compromises were made in its design in order to meet its primary
objective: to be a NOBUS passive backdoor. (NOBUS is an intelligence community
term for ‘nobody but us,’ i.e. other parties shouldn’t be able to use the
backdoor). Why would it be used in ScreenOS in the first place?”
0 comments:
Post a Comment