In mid-December 2015 Juniper Networks announced that during an internal code review they discovered two critical security issues within their “ScreenOS” source code. Juniper noted these critical vulnerabilities CVE-2015-775 Administrative Access and CVE-2015-7756 VPN Decryption essentially placed “backdoors” into their products and placed the security and privacy of customer networks at risk.

  • CVE-2015-7755 allowed unauthorized remote administrative access to the Juniper firewall device, and thus affording the unauthorized party complete access to the affected device. The vulnerability may be detected via spurious log file entries (which would exist if the attacker did not remove the logs)
  • CVE-2015-7756 permitted the attacker to monitor VPN (Virtual Private Network) traffic. Juniper noted there is no way to detect the decryption, as the decryption was conducted extant from the device.

Juniper went on to issue a mitigation strategy which closed both of these critical vulnerabilities.

How did this happen?

There is a great deal of speculation on how the “backdoors” came to be. The Register (UK) notes how the the Juniper development center in China is where the development of the ScreenOS product code takes place – they attribute this knowledge to a former Juniper staffer (unnamed of course). The register notes that the VPN compromise (CVE-2015-7756) may have been in place since 2008. The Register is quick to note they, “…in no way suggests those who work in Juniper’s Beijing offices are in any way associated with the unauthorized code.” The Register has given us something to cogitate on.

Security firm Rapid7 did a deep dive into the firewall device, (CVE-2015-7755) and published a comprehensive analysis of the vulnerability. Rapid7 conducted a Shodan search and discovered approximately 26,000 Netscreen devices vulnerable (this author conducted the same search on 7 January and found the number of such devices exceeded 25,000, with 7,161 of them located within the United States).

What’s the damage?

The damage depends on who is behind the “back door” insertion. Wired magazine quotes Ralf-Philipp Weinmann, CEO of German consultancy Comesecuris, speculates that the encryption backdoor was created by the NSA. Wired goes on to note that it could also be an NSA partner located in the UK or Israel, as they have an “unnamed” source within the US government saying the US intelligence community is not behind the backdoor insertion. Wired goes on to identify other potential culprits, Russia and China.

The bottom line: they haven’t figured out who is responsible for the back door. Thus all customers should assume that the compromise was conducted by an entity which has the most to gain from the compromise of the content of the information protected by the firewall or transmitted within the VPNs over the course of the last 5-7 years.

Are backdoors a good idea?

The Juniper Network compromise of their VPN systems via a backdoor aptly demonstrates the fallacy in the logic of building backdoors into encryption systems. The backdoor can be exploited by a third-party entity and thus the backdoor facilitates the compromise of the encrypted content by potential adversaries.

Related News

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher, served 30+ years within the Central Intelligence Agency. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” (Syngress, March 2008). He is the founder of securelytravel.com