Firewall Backdoors Still Not Patched

Friday, January 8, 2016 @ 06:01 PM gHale

Over 1,500 Juniper Networks firewalls remain open to attack because users did not install patches designed to mitigate backdoors, a researcher said.

Juniper Networks reported in mid-December it discovered unauthorized code in ScreenOS, the operating system behind NetScreen firewalls.

Juniper Finds, Patches Own Bugs
Cisco Working to Fix Deserialization Holes
Java App Servers Vulnerable
Oracle Issues Security Patches

That code introduced a vulnerability that ended up leveraged to gain administrative access to affected devices and another one that could decrypt VPN connections.

The VPN decryption flaw affects ScreenOS versions 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20.

The authentication backdoor affects ScreenOS 6.3.0r17 through 6.3.0r20.

The security holes ended up patched with the release of ScreenOS 6.2.0r19 and 6.3.0r21.

Researchers said it took them only six hours to find the password for the authentication backdoor. Honeypots deployed showed attackers were attempting to take advantage of the flaw.

Security consultant Julio Cesar Fort scanned the Net to see how many of the Juniper NetScreen devices are still vulnerable.

Using the Censys search engine, Fort found over 51,000 Internet-facing NetScreen devices, he said in a blog post. Scans conducted at the 32nd Chaos Communication Congress in Germany and in the following days, up until January 5, revealed 1,595 potentially unpatched devices. Scans on SHODAN found 26,041 Internet-facing hosts running NetScreen.

Juniper devices hit with the backdoor can end up accessed with any username and one specific password. In order to avoid counting honeypots mimicking vulnerable firewalls, Fort configured his scanner so it attempted to connect with the username “honeytrap,” not likely used by honeypots.

Fort found the largest number of vulnerable devices in the United States (480), followed by China (134), Japan (112), Germany (107) and South Korea (100).