How to log into any backdoored Juniper firewall – hard-coded password published
Did the NSA knacker ScreenOS? Probably not
The access-all-areas backdoor password hidden in some Juniper Networks' Netscreen firewalls has been published.
Last week it was revealed that some builds of the devices' ScreenOS firmware suffer from two severe security weaknesses: one allows devices to be commandeered over SSH and Telnet, and the other allows encrypted VPN communications to be monitored by eavesdroppers.
An analysis by security firm Rapid7 of the firmware's ARM code has uncovered more details on that first vulnerability – specifically, a hardcoded password that grants administrator access. And that password is:
<<< %s(un='%s') = %u.
On the face of it, this skeleton key looks like a harmless
printf() format string for writing some text and an integer to a diagnostic log file – it would be lost among the rest of the firmware's data.
However, the string is actually used during login checks. When the magic text is presented as a password over SSH or Telnet, the firmware grants total access to the equipment: regardless of the username given, it allows anyone to bypass authentication, and the password is hardwired into the operating system.
The Rapid7 team found more than 26,000 internet-facing Netscreen systems with SSH open.
"We were also unable to identify the authentication backdoor in versions 6.3.0r12 or 6.3.0r14. We could confirm that versions 6.3.0r17 and 6.3.0r19 were affected, but were not able to track down 6.3.0r15 or 6.3.0r16," said Rapid7's chief research officer HD Moore.
"This is interesting because although the first affected version was released in 2012, the authentication backdoor did not seem to get added until a release in late 2013 (either 6.3.0r15, 6.3.0r16, or 6.3.0r17)."
That date is important because it potentially derails a rumor that has been floating around the internet over the weekend: that the backdoor was created as part of a top-secret NSA plan to hijack Juniper's kit for spying purposes.
FEEDTROUGH tech ... One of the slides leaked from the NSA boasting the ability to hijack Juniper gear
This rumor spread after people fished out an NSA document published by Der Spiegel in which the intelligence agency claimed to have full control over Juniper's Netscreen firewalls.
But that slide was made in 2008. That's five years before this particular backdoor was added to ScreenOS. It's possible another backdoor was present in earlier builds, but no one has evidence of that.
Also, the NSA slide focuses on implanting surveillance malware in a device, rather than compromising the firmware's source code to introduce a hidden skeleton key. The backdoor found by Rapid7 seems too heavy-handed for the US spy agency. It's possible FEEDTROUGH exploited a vulnerability to install its malware, but only after a hole was discovered – and in any case, it couldn't have been this particular password vulnerability (unless, of course, the NSA has a TARDIS.)
If anything, ScreenOS's use of the Dual EC DRBG random number generator in its encryption is more worrying, and points to potential NSA interference. That algorithm is the same engine that was championed by the NSA even as independent security researchers pointed out that it was seriously flawed.
So where does all this leave Juniper's customers? The company has released a patch for the affected systems, but a fair few annoyed IT managers might be leaving Juniper off their lists the next time it comes to hardware upgrade time. ®