New developments have occurred regarding the discovery of Juniper Networks spy code in its ScreenOS, that took place last week.
There were no less than two backdoors, not one. Discovered by non-Juniper Networks affiliated security and cryptography specialists in the past days.
The founder and CEO of Comsecuris, a German security company, said the more exact definition of what happened would be a “backdoored backdoor”.
Apart from the unauthorized code that Juniper Networks discovered last week in their ScreenOS, there was also a major vulnerability within the authorized code itself.
Because this code included a Random Number Generator (RNG) called Dual_EC_DRBG as the basis of its encryption for NetScreen devices. And this RNG was widely known to be a major security risk ever since 2007 when two Microsoft researchers, Dan Shumow and Neils Ferguson, exposed its backdoor potential via Q, one of the constants it uses.
What’s more interesting? Though it lost it’s NIST (US National Institute of Standards and Technology) approval then, it was initially standardized and approved by NIST after it was strongly promoted by… none other than the NSA. Who also happened to develop Dual_EC_DRBG.
Take into account that the New York Times reported in 2013 (based on Edward Snowden leaks) that NSA put the vulnerability inside this RNG on purpose and it paints a pretty picture.
Even more interesting is that Juniper Networks have admitted that they consciously used Dual_EC_DRBG, despite knowing of its security risk, because they took other countermeasures to nullify it.
Namely using “self-generated basis points” instead of the P and Q constants, supposed to be points on an elliptic curve and, on top of that, using the output of Dual_EC_DRBG (the random number) as an input for another RNG called FIPS/ANSI X.9.31.
This latter RNG’s output was supposed to be used for the encryption operations. As described by Juniper Networks, the Q vulnerability (planted there by NSA or whoever did) would have indeed been useless.
But here’s the thing. The code that was supposed to pass the Dual_EC_DRGB result to the FIPS/ANSI X.9.31 RNG had an error in it. Hence, it failed and didn’t pass anything. Hence, FIPS/ANSI X.9.31 never ran and was completely useless, as pointed out by Willem Pinckaers, the security researcher who discovered this error. Which prompted Weinmann to say: backdoored backdoor.
This comes at a time when there is an increase of state-involvement in private companies’ data management and amid a push from governments and intelligence agencies to force big companies to implement backdoors for lawful use by them in investigations.
The Juniper Networks example should serve as a warning that hackers can use such backdoors too!
The good news: though real, as confirmed by the hard coded hidden password discovered by the researchers, the administrative rights vulnerability is not as extensive as previously announced by Juniper Networks.
It only affects ScreenOS versions 6.3.0r17 – 6.3.0r20.
The VPN decryption one affects versions 6.2.0r15 – 6.2.0r18 and 6.3.0r12 – 6.3.0r20.
Image source: 1.