back to article How to log into any backdoored Juniper firewall – hard-coded password published

The access-all-areas backdoor password hidden in some Juniper Networks' Netscreen firewalls has been published. Last week it was revealed that some builds of the devices' ScreenOS firmware suffer from two severe security weaknesses: one allows devices to be commandeered over SSH and Telnet, and the other allows encrypted VPN …

  1. BebopWeBop Silver badge
    Facepalm

    And Junipers business future looks good? Not the news their employees want to hear before christmas.

    1. Adam 52 Silver badge

      Depends on whether you believe that their competitors aren't compromised in a similar or more subtle way.

      1. netminder

        BINGO!

        Has everyone forgotten the stories of Cisco being compromised?

        Is anyone naive enough in this day and age to believe HUAWEI is not backdoored?

        I do not know what the solution is but running to a different vendor is not on the list of useful potential ideas

  2. phil dude
    Boffin

    intellectual entropy...

    New management speak for incompetence?

    P.

  3. Anonymous Coward
    Anonymous Coward

    Maybe I'm being stupid here but what terrorists use juniper firewalls and why does the NSA need access to the data?

    I'm beginning to think more and more that the "axis of evil" are not the enemy anymore.

    1. Rainer

      Actually, I believe Juniper has a sizable business in the Arab world - simply for the fact that they aren't Checkpoint.

      Same goes for e.g. Germany-based companies in that sector.

      1. This post has been deleted by its author

    2. tom dial Silver badge

      As we all know, or should, the NSA, and its predecessor, associated, and adversary SigInt agencies were in business for at least forty or fifty years before the onset of modern terrorism. They have a lot on their plates, all of them, beyond what may be going on amongst terrorists, whether in the Middle East or elsewhere. The transmission modes and protocols have changed a lot, and all of them have added the new ones as they came into use while continuing to capture and analyze communications on the older ones like radio, telegraph, and telephone.

      A great deal of intelligence analysis is produced from public sources, but it needs to be supplemented by, and validated by comparison with, information that is believed to be private. In the present environment, one tool is penetration of networks guarded by routers, something Juniper claimed to provide security against.

    3. phuzz Silver badge

      The terrorists might not be using a Juniper, but their ISP might be.

      Most of the NSA's actions seem to have been directed towards getting access to everything, regardless of if there's a pressing need. "More data better" is their motto.

    4. NotBob
      Big Brother

      You're beginning to think. Down that path leads dragons (or, probably more accurately, government watch-lists).

    5. MyffyW Silver badge

      Whether or not we're safer as a result of the NSA having access to this equipment is a moot point (and one I'm happy to challenge).

      But we're certainly less safe now that world+wife+dog has access to all the Juniper equipment. Blinding, boys.

  4. Fruit and Nutcase Silver badge
    Thumb Up

    B̶a̶c̶k̶d̶o̶o̶r̶ Frontdoor

    so easy, it's shirley a Frontdoor?

    1. Ole Juul

      Re: B̶a̶c̶k̶d̶o̶o̶r̶ Frontdoor

      Depends on where you're comin' from - if you know what I mean.

  5. JavaJester

    Oddly Appropriate Juniper Related Quote

    1 Kings 19:4 "But he himself [Elijah] went a day's journey into the wilderness, and came and sat down under a juniper tree: and he requested for himself that he might die;"

    1. Chris Miller

      Re: Oddly Appropriate Juniper Related Quote

      BRIAN: Of course they've brought forth juniper berries! They're juniper bushes! What do you expect?!

      1. Wzrd1

        Re: Oddly Appropriate Juniper Related Quote

        Ah, juniper berries, makes for great gin!

        Actually, without them, it isn't gin.

  6. Anonymous Coward
    Anonymous Coward

    Arrrh! Me Maties! Prepare for boarding on my cusswords: "<<< %s(un='%s') = %u"

    "Talk like a pirate" day comes early.

    1. Anonymous Coward
      Anonymous Coward

      Re: Arrrh! Me Maties! Prepare for boarding on my cusswords: "<<< %s(un='%s') = %u"

      Talk like a pirate... or talk like a Chinese - Sun Tsu and the Art of (Cyber)War?

  7. Barbarian At the Gates

    The US solution to a bad guy with a backdoor

    ...is a good guy with a backdoor.

    I wish that was a joke.

    1. Anonymous Coward
      Anonymous Coward

      Re: The US solution to a bad guy with a backdoor

      The message you don't want to hear:

      "Victor the Backdoor Man has arrived at your premises."

      1. AbelSoul
        Trollface

        Re: the Backdoor Man has arrived

        The men don't know but the little girls understand?

        (Yes, I know Willie Dixon did it first...)

  8. Neoc

    Hmmm....

    "<<< %s(un='%s') = %u"

    " s un s u"

    Sun Tsu?

  9. psam

    This has to be added to every dictionary, the <<< can save years plus the outside characters and spaces could really help brute force. It's not about guessing brute force but assuming they might have used this format somewhere else, or just being able to guess the = and spaces is a huge help

    I hope they had to choose a password for someting else important, it should have been yX''k877'J@YgG~{T*[X? something not anything readable (assuming 21 characters was the limit).

    1. Wzrd1

      "This has to be added to every dictionary,..."

      It's now part of every vulnerability scanner's dictionary already, as soon as the backdoor information was released, the dictionaries were updated.

    2. Voland's right hand Silver badge

      This was not found during brute forcing

      It was found via disassembly - just not sure if it was before or after the announcement. What is published is a dissassembly.

      It was also not done to be obscure (that would have been a crypted pwd). It was done so it is not seen on code source analysis/strings.

      1. Roland6 Silver badge

        Re: This was not found during brute forcing

        "It was found via disassembly"

        Interesting concept given how so many EULA's prohibit "reverse engineering" - so even more interesting that Rapid7 have gone public; perhaps this is something the white hats should be doing with software from other major vendors, given that the black hats are likely to be already doing ...

  10. Stevie Silver badge

    Bah!

    Amazing! That's the combination to my luggage!

  11. CAPS LOCK Silver badge

    I guess this would have shown up with a cursory glance at the code?

    So no code review, not even cursory. I expect this applies to the rest of the code from Juniper.

    1. chris 17 Bronze badge

      Re: I guess this would have shown up with a cursory glance at the code?

      @ CAPS LOCK

      "I guess this would have shown up with a cursory glance at the code? "

      you are so right, i would have easily spotted it in the 10 lines of code that comprises NetScreenOS, i can't think why they didn't

      1. CAPS LOCK Silver badge

        @ chris 17

        What, there's a lot of code so it's ok to not review it?

    2. Jonathan Richards 1

      Re: I guess this would have shown up with a cursory glance at the code?

      Juniper's advisory says

      During an internal code review, two security issues were identified.
      So, more than a cursory glance, and that is in fact how it was found. The CIO said that the code review identified "unauthorized" code. Whether or not Juniper will share with us how that backdoor got into their code repository remains to be seen; it's interesting that it seems to have been 'camouflaged' to look like a printf() command. That's not what you'd expect from some developer putting in a time-saving routine during development and then forgetting to remove it before release, it looks like something that was designed to stay under the radar in released software.

    3. Voland's right hand Silver badge

      Re: I guess this would have shown up with a cursory glance at the code?

      Depends how and where.

      If this went in as assembler in the first place, I doubt that a cursory code review would have found it out. You can really obscure things if you want to :)

      You can also obscure this in C too - use the format string in 4-5 places to print so it is fully legit. Then all you need to sneak in is one comparison which can be done simply by replacing == with = in the right place :) Even better - reuse an existing format string.

      1. Francis Vaughan

        Re: I guess this would have shown up with a cursory glance at the code?

        Exactly - there is existing history for security breaches that are deliberately hard to pick in code reviews, and when very well done are plausibly deniable as a simple slip of the keyboard, and not actually done with malicious intent.

        Now in its eighth year - http://www.underhanded-c.org/

  12. razorfishsl

    The Backdoor boys are back.........

  13. chris 17 Bronze badge

    Has anyone tried it on their Juniper Kit?

  14. cantankerous swineherd
    Joke

    insecure password, no caps, no digits.

  15. matt1234

    So didn't Juniper ever publish an MD5 sum of their firmwares ?

    If they claim to have no knowledge of it, then surely the publishing of an md5 will prove it was tampered with. If they did produce an md5 and it matched the vulnerable one then they did know about it.

    1. Francis Vaughan

      No, it is clear that the vulnerability was introduced into the source, it wasn't added as a hack to a binary image. The clue is in the password string. It is one of two things.

      1. An intentionally coded backdoor with a password deliberately made to look like a legitimate printf format, so that simple strings analysis of the binary would not suggest it was anything special to any potential attacker.

      1a. Actually is a legitimate printf format string that has been reused for an intentionally coded backdoor.

      2. It is a legitimate printf format, and someone has tweaked the source code to make it work as a backdoor password by introducing a small but critical flaw in the program.

      The difference is that option 1 should show up in a code review. Option 2 may be very hard to pick up. Languages like C and C++ contain a great many ways of burying such exploits in ways that take considerable care and expertise to notice, let alone figure out. Indeed both languages seem to encourage coding habits that make such things hard to detect.

      It could be as simple as an extra * in the right place, or the difference between 1 and I in a carefully chosen spot.

  16. Crazy Operations Guy Silver badge

    Brute force the firmware

    Now I have an itching to start disassembling all the firmware I have access to, then using each line as part of a dictionary attack against the devices to see what pops up.

    1. regadpellagru

      Re: Brute force the firmware

      "Now I have an itching to start disassembling all the firmware I have access to, then using each line as part of a dictionary attack against the devices to see what pops up."

      You won't get far with that, if K = K1 XOR K2, with K being your backdoor, and K1 and K2 being the only strings in the binary ...

      The only solution is disassemble the binary ... Possible but VERY time consuming.

  17. Crazy Operations Guy Silver badge

    And this is why I've abandoned commercial network appliances

    Things like this are why I replaced the edge appliances at work with commodity boxes running OpenBSD and decommissioned the old Checkpoints and Cisco ASAs / edge routers. I trust publicly released by a bunch of highly paranoid programmers a lot more than a multi-billion dollar company nowadays, and things like this just help make my case for doing so.

  18. Anonymous Coward
    Anonymous Coward

    Who in their right mind would review disassembled code?

    Unless the source was not available. (Is that what tipped them off -- a compromised SCM?)

    1. Crazy Operations Guy Silver badge

      Re: Who in their right mind would review disassembled code?

      Even if the source is still available, the binary should be checked anyway since it may well be compromised. Beside, the source wasn't available in this instance anyway.

  19. rmstock

    new NSA whistle blower ?

    This smells like we have a new NSA whistle blower.

    `aSUnSU' ..and that is from a Chinese programmer

    who barely passed the English exams. This message

    was sponsored by Cisco TM , wishing you a very happy Xmas !!!!!!

  20. Michael Wojcik Silver badge

    Dual_EC_DRBG strikes again

    If anything, ScreenOS's use of the Dual EC DRBG random number generator in its encryption is more worrying, and points to potential NSA interference.

    I'm not sure I'd call it "more worrying" - it's hard to rank this sort of thing - but it's certainly worrying.

    There has never been any good reason to use Dual_EC_DRBG, and particularly not with the default parameters. Security researchers raised very public concerns about it when it was first published. It doesn't offer good performance, and the possibility of a backdoor - and impossibility of proving there isn't one - has been well-known for years.

    NIST Special Pub 800-90A, which specified Dual_EC_DRBG, also specified three other CPRNGs, so it's not like Dual_EC was the only choice even if you were going to sell to an entity that demanded a NIST-endorsed CPRNG. And even if someone insisted on Dual_EC (which would be mighty odd), 800-90A says you can generate your own parameters and shows you how to do it.

    As with RSA BSAFE, the use of Dual_EC_DRBG is highly suspect. It indicates that either someone was persuaded to put in that particular NSA back door, or the crypto was implemented by people who weren't experts and couldn't be bothered to do some basic research. So either malice or incompetence. There's no other alternative.

  21. CAPS LOCK Silver badge

    Juniper are shit....

    ... there, I said it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019