Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Bad actors race to exploit Juniper firewall vulnerability

Tim Greene | Dec. 21, 2015
Efforts afoot to reverse engineer the flaw and create commodity exploits.

juniper netscreen 5200 2
Credit: Juniper

Now that Juniper has created a patch for its vulnerable firewall/VPN appliances, bad actors are setting to work reverse engineering the flaw so they can exploit devices that users don’t patch, and also make a profit by selling their exploits to others.

“That’s what they do,” says John Pironti, president of IP Architects, who says he spent Friday responding to concerns about the compromised Juniper firewalls with his clients.

The pattern cyber criminals follow after vendors patch vulnerabilities is to compare the patched code to the unpatched code, figure out what the flawed code was and figure out how to use it to break into the device and the network it protects, Pironti says.

In this case Juniper says the flaw can be exploited to completely compromise a NetScreen firewall/VPN appliance via unauthorized remote administrator access via telnet or SSH, wipe out logs that would reveal the attack, and decrypt VPN traffic.

Once the reverse engineers do that, they’ll start trying out the exploit on whatever NetScreen devices they can locate in real-world networks hoping to find ones that aren’t patched, Pironti says. After that the exploits will go up for sale in underground markets and wend their way into open source penetration-testing platforms such as metasploit.

Inevitably some users fail to apply critical patches for years and years after they have been issued, he says. “It will be used for years,” he says. “This will not go away overnight.”

Since attackers can erase any trace they exploited a NetScreen appliance, IT security teams should start checking logs in the devices in line behind the firewall/VPNs. They should look for consistent and persistent traffic originating from unfamiliar and atypical IP address ranges that could represent the attackers moving inside the network once they’ve cracked the appliance, Pironti says. “See if they tried to get elsewhere,” he says.

Meanwhile, as of Friday, Juniper had yet to answer some key questions about the bad code.

In response to emails seeking more information, Juniper reiterated part of its initial announcement about the patches and provided a link to its formal advisory, but that’s it.

Some of the questions left unanswered:

  • How long has the bad code been in ScreenOS?
  • How did it get there?
  • How many units did it affect?
  • Does the problem affect every VPN tunnel or just certain tunnel types and encryption types?
  • Does Juniper recommend that customers do any sort of security audit to figure out if they have been compromised through use of this vulnerability?
  • Is there any way to find out if the vulnerability has been exploited in a particular device?

“I think that Juniper does owe us more information,” says Joel Snyder, senior partner in Opus One, a technology consultancy that has tested network firewalls for Network World. “In any case, I think that Juniper should be forthcoming with more information to let us know if they think that this was put in accidentally, on purpose, and by whom.”


1  2  Next Page 

Sign up for CIO Asia eNewsletters.