Researchers confirm backdoor password in Juniper firewall code

srx210On December 17, Juniper Networks issued an urgent security advisory about “unauthorized code” found within the operating system used by some of the company’s NetScreen firewalls and Secure Service Gateway (SSG) appliances. The vulnerability, which may have been in place in some firewalls as far back as 2012 and which shipped with systems to customers until late 2013, allows an attacker to gain remote administrative access to systems with telnet or ssh access enabled. And now researchers have both confirmed that the backdoor exists and developed a tool that can scan for affected systems.

In a post to the Rapid7 community blog site on December 20, Metasploit project founder and Rapid7 researcher H D Moore published an analysis of the affected versions of Juniper’s ScreenOS operating system, including the administrative access password that had been hard-coded into the operating system. This backdoor, which was inserted into ScreenOS versions 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20, is a change to the code that authorizes administrative access with the password “<<< %s(un='%s') = %u“—a password that Moore notes was crafted to resemble debug code to evade detection during review.

A side-by-side look at the Juniper ScreenOS code, with the backdoored code on the left and unaltered code on the right. The backdoor password is highlighted. PHOTO: Rapid7

Since this code is in the firmware of the affected Juniper NetScreen and SSG appliances, the only way to remove it is to re-flash the firmware with a new version of ScreenOS. Steve Puluka has written a guide on how to perform the upgrade and avoid some of the potential problems around installation, including dealing with the configuration of a new signing key for the upgrade.

Moore noted that detecting whether vulnerable systems have been accessed using the backdoor may be difficult. The only evidence of an attacker using the backdoor in log files would be entries that Juniper said would look like this:

2015-12-17 09:00:00 system warn 00515 Admin user system has logged on via SSH from…

2015-12-17 09:00:00 system warn 00528 SSH: Password authentication successful for admin user ‘username2’ at host…

Analysis of the backdoor has made it possible now to detect attempts to use the exploit going forward. The Dutch IT security firm Fox IT, which assisted in confirming the backdoor password, has developed a set of rules for the SNORT open source intrusion detection system that can scan for attempts to gain access to vulnerable Juniper systems. The rule watches for attempted logins via telnet or ssh using the backdoor password.


SOURCE: Sean Gallagher | Ars Technica


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s