Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The Juniper VPN backdoor: buggy code with a dose of shady NSA crypto

Lucian Constantin | Dec. 23, 2015
Or, how one backdoor was actually two

Security researchers and crypto experts have spent the last few days trying to figure out the details of a recently announced backdoor in Juniper NetScreen firewalls that could allow attackers to decrypt VPN (Virtual Private Network) traffic. They believe that they found the answer: a combination of likely malicious third-party modifications and Juniper's own crypto failures.

According to experts, Juniper was using a known flawed random number generator called Dual_EC_DRBG as the foundation for cryptographic operations in NetScreen's ScreenOS, but believed it was doing so securely because of additional precautions it had taken. It turns out those safeguards were ineffective.

The VPN decryption issue was announced by Juniper Thursday along with another vulnerability that could provide attackers with administrative access to NetScreen devices through the use of a hard-coded master password. Both issues were the result of unauthorized code that was added to ScreenOS and were discovered during a recent internal code audit, the company said at the time.

Juniper released patched versions of the affected firmware, but didn't publish details about the rogue code, its location or who might have added it. The FBI is reportedly investigating the incident.

The security community took it upon itself to reverse engineer the old firmware versions and Juniper's new patches in order to dig up more information. Researchers soon found the hardcoded, but cleverly concealed, password for the administrative access backdoor and discovered that it affected fewer ScreenOS versions than initially believed.

Crypto specialists delved into the VPN issue, whose description made it more appealing to them, as the ability to spy on encrypted traffic is always a big deal.

It didn't take long for someone to notice that Juniper's latest patches reverted a parameter back to a value that the OS used before version 6.3.0r12, the first in the 6.3.0 branch that Juniper claims was affected by the VPN decryption issue.

According to further analysis by Ralf-Philipp Weinmann, founder and CEO of German security consultancy firm Comsecuris, that parameter turned out to be Q, one of two constants — P and Q — that are used by the Dual_EC random number generator (RNG).

Dual_EC was standardized by the U.S. National Institute of Standards and Technology (NIST) in 2007 after being championed by the U.S. National Security Agency, which played an important role in its development. Shortly after, Dan Shumow and Neils Ferguson, two researchers from Microsoft, disclosed a major weakness in the standard that could serve as a backdoor.

"Omitting the mathematics, the short version is that Dual EC relies on a special 32-byte constant called Q, which — if generated by a malicious attacker — can allow said attacker to predict future outputs of the RNG after seeing a mere 30 bytes of raw output from your generator," said Matthew Green, a cryptographer and assistant professor at Johns Hopkins University, in a blog post Tuesday.

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.