Argyll Free Press

Growing News Network

Tuesday, December 23, 2025
Log in

Juniper Networks Spy Code Story Continues

By Leave a Comment

Juniper Networks Logo and Motto in a building

New developments have occurred regarding the discovery of Juniper Networks spy code in its ScreenOS, that took place last week.

There were no less than two backdoors, not one. Discovered by non-Juniper Networks affiliated security and cryptography specialists in the past days.

The founder and CEO of Comsecuris, a German security company, said the more exact definition of what happened would be a “backdoored backdoor”.

Apart from the unauthorized code that Juniper Networks discovered last week in their ScreenOS, there was also a major vulnerability within the authorized code itself.

Because this code included a Random Number Generator (RNG) called Dual_EC_DRBG as the basis of its encryption for NetScreen devices. And this RNG was widely known to be a major security risk ever since 2007 when two Microsoft researchers, Dan Shumow and Neils Ferguson, exposed its backdoor potential via Q, one of the constants it uses.

What’s more interesting? Though it lost it’s NIST (US National Institute of Standards and Technology) approval then, it was initially standardized and approved by NIST after it was strongly promoted by… none other than the NSA. Who also happened to develop Dual_EC_DRBG.

Take into account that the New York Times reported in 2013 (based on Edward Snowden leaks) that NSA put the vulnerability inside this RNG on purpose and it paints a pretty picture.

Even more interesting is that Juniper Networks have admitted that they consciously used Dual_EC_DRBG, despite knowing of its security risk, because they took other countermeasures to nullify it.

Namely  using “self-generated basis points” instead of the P and Q constants, supposed to be points on an elliptic curve and, on top of that, using the output of Dual_EC_DRBG (the random number) as an input for another RNG called FIPS/ANSI X.9.31.

This latter RNG’s output was supposed to be used for the encryption operations. As described by Juniper Networks, the Q vulnerability (planted there by NSA or whoever did) would have indeed been useless.

But here’s the thing. The code that was supposed to pass the Dual_EC_DRGB result to the FIPS/ANSI X.9.31 RNG had an error in it. Hence, it failed and didn’t pass anything. Hence, FIPS/ANSI X.9.31 never ran and was completely useless, as pointed out by Willem Pinckaers, the security researcher who discovered this error. Which prompted Weinmann to say: backdoored backdoor.

This comes at a time when there is an increase of state-involvement in private companies’ data management and amid a push from governments and intelligence agencies to force big companies to implement backdoors for lawful use by them in investigations.

The Juniper Networks example should serve as a warning that hackers can use such backdoors too!

The good news: though real, as confirmed by the hard coded hidden password discovered by the researchers, the administrative rights vulnerability is not as extensive as previously announced by Juniper Networks.

It only affects ScreenOS versions 6.3.0r17 – 6.3.0r20.

The VPN decryption one affects versions 6.2.0r15 – 6.2.0r18 and 6.3.0r12 – 6.3.0r20.

Image source: 1.

Juniper Networks Spy Code Alert

By Leave a Comment

Photo of the Juniper Networks headquarters.

Juniper Networks, one of the big US companies that produces networking devices and software, has discovered unauthorized code that can compromise such devices, in an internal review that the company recently had.

They made the announcement that such code was present on Thursday and subsequently proceeded to immediately release critical patches to fix the issue.

They recommended that users download and install these patches so that they are protected from any future attack.

The products with vulnerabilities are only those running certain versions of Juniper Networks’ operating system, called ScreenOS.

The OS system versions in question are 6.2.0r15 – 6.2.0r18 and 6.3.0r12 – 6.3.0r20.

The good news is that Juniper Networks have had no reports that the vulnerable NetScreen devices have actually been exploited.

The bad news is that if they were two be exploited, it could happen in 2 ways. Both of which are very difficult or impossible to detect.

The first scenario consists of a competent hacker getting administrative access to a Juniper device. This access can be gained remotely. And once the hacker has administrative access, he/she can simply delete the log files marking his passage. Therefore, no sign would be left of the attack and the operations performed.

The second scenario involves a likewise competent hacker being able to eliminate the encryption of data sent via the VPN’s using vulnerable Juniper devices. There are no means at the company or user’s disposal to detect whether such a decryption took place.

The disturbing part is that the unauthorized code allows for these two scenarios because it works by compromising the firewall on those Juniper devices running the above mentioned operating system. So, in essence, that barrier which should protect your computer from threats from the “outside” (the whole web) is the actual vulnerability, the entry point.

To add to that, the unauthorized code is designed to spy, not disable or damage your computer or cost you any money, which brings forth strong images of state involvement as opposed to freelance hackers or hacker organizations.

Also worth noting is that the Juniper Networks spy code alert comes just two years after a report by the German Der Spiegel featured an article on NSA’s frequent security breaches of the company’s devices, including the methods used (Feedthrough  – a toolkit that inserts software implants on Netscreen devices that remain active even after reboot or upgrade).

Also around 2013 were Edward Snowden’s allegations that the NSA and other US intelligence agencies intercept and alter technology products on a regular basis.

So why are these reports from 2 years ago relevant for the alert issued yesterday? Simple. Because the earliest version of the Screen OS 6.2.0r15 is dated 2012.

It all fits nicely and is a plausible assumption that this recently discovered breach is in fact state-sponsored.

What are your thoughts on the matter?

Image source: 1.

Categories