Advancing the Security of Juniper Products
POSTED BY BOB WORRALL, SVP CHIEF INFORMATION OFFICER ON JANUARY 8, 2016
Recently Juniper Networks announced the discovery of unauthorized code in the ScreenOS® software used in our Netscreen® products. This malicious code could allow a knowledgeable attacker to circumvent the security of those products. Once we identified these vulnerabilities, we launched an investigation into the matter and worked to develop and issue patched releases for the latest versions of ScreenOS. We then notified customers with a Juniper Security Advisory and published a Security Incident Response Team Blog with further details.
In addition to removing the unauthorized code and making patched releases available, Juniper undertook a detailed investigation of ScreenOS and Junos OS® source code. A respected security organization was brought in to assist with this investigation. After a detailed review, there is no evidence of any other unauthorized code in ScreenOS nor have we found any evidence of unauthorized code in Junos OS. The investigation also confirmed that it would be much more difficult to insert the same type of unauthorized code in Junos OS.
Further, after a review of commentary from security researchers and through our own continued analysis, we have identified additional changes Juniper will make to ScreenOS to enhance the robustness of the ScreenOS random number generation subsystem.
We will replace Dual_EC and ANSI X9.31 in ScreenOS 6.3 with the same random number generation technology currently employed across our broad portfolio of Junos OS products. We intend to make these changes in a subsequent ScreenOS software release, which will be made available in the first half of 2016.
Juniper is committed to constantly improving the integrity of its engineering environments. As part of our established processes, we will continue to monitor our code bases and evaluate the security of them. We will also continue to look for other ways to harden our environment and mitigate security risks.
The investigation of the origin of the unauthorized code continues.
As a leading provider of high performance networking technology solutions globally for the past 20 years, Juniper Networks is keenly aware of the current and evolving threats to national and economic security around the world. As a proven leader in driving technology innovation, we are also aware that our products will continue to be a target of cyber attacks. We are committed to the integrity, security, and assurance of our products. We have also demonstrated that it is our policy to fix security vulnerabilities when they are found and to notify our customers according to our Security Incident Response Team procedures.
Q&A
Q: There are reports that the use of Dual_EC in the patched releases prevents the vulnerability from being fixed. Is this true?
No. We remain confident that the patched releases, which use Dual_EC, remediate both the unauthorized administrative access issue, as well as the VPN decryption issue.
We strongly recommend that customers upgrade their impacted systems to the patched releases with high priority.
Q: Pending the planned replacement of the Dual_EC, do Screen OS devices have sufficient cryptology?
Yes. We believe that the existing code using Dual_EC with self-generated basis points provides sufficient cryptology notwithstanding issues with the second ANSI X.9.31 random number generator. We will replace both Dual_EC and ANSI X9.31 in ScreenOS 6.3.
Q: Can you please outline the process you used to check the Junos OS at a high level?
The process examined Junos OS source code in “hot spots” where one may expect to find code similar to the code found in ScreenOS. The hot spots include VPN code, encryption code, and authentication code. We also inspected our build environments for any evidence of tampering or unauthorized access.
Q: Why did we feel this was an important step to take?
Given the discovery of unauthorized code in one product, it was important to inspect our products running Junos OS for signs of unauthorized code as well as to carefully inspect the source code itself.
Junos OS is the main operating system for most of Juniper’s current products.
#SIRT