Juniper Changes ScreenOS Firewalls

Wednesday, January 13, 2016 @ 10:01 AM gHale

Juniper is making some changes. It will replace the Dual_EC pseudo-random number generator in ScreenOS with the same random number generation technology currently used in its products running Junos OS and ScreenOS will also stop using the ANSI X9.31 number generator, officials said.

This all comes on the heels of Juniper’s NetScreen firewall devices running ScreenOS containing vulnerabilities that opened backdoors into the devices and allowed attackers to decrypt of VPN connections undetected.

Firewall Backdoors Still Not Patched
Juniper Finds, Patches Own Bugs
Cisco Working to Fix Deserialization Holes
Java App Servers Vulnerable

The revelation sparked additional research and disclosures, as well as speculation about who planted those backdoors.

As it turns out, after revealing the results of research into when the backdoors ended up installed, it showed the company made some questionable choices when it came to the security of their devices running ScreenOS. That was the final straw for Dual_EC and ANSI X9.31 in these devices.

A group of researchers, including Stephen Checkoway, an assistant professor of computer science at the University of Illinois at Chicago, analyzed 48 versions of the NetScreen firmware, and discovered:
1. Despite claiming known vulnerabilities in the Dual_EC RNG were not important as the ScreenOS devices had a more secure RNG algorithm (ANSI X9.31) to fall back on, the fact that Dual_EC was present was enough for attackers to introduce a backdoor.
2. The insecure Dual_EC algorithm added into the devices long after the more secure ANSI algorithm was already in it
3. When they implemented Dual_EC, the company changed the length of the nonce (the random number string generated by the algorithm used to help encrypt data) – from 20 bytes to 32 bytes. This is important because a 20-bytes-long nonce would raise the amount of calculation and the time required to do them to such heights, as to make it very, very hard for an attacker to break the encryption scheme. A 32-bytes-long nonce would make the task considerably easier to execute.

These changes went into in ScreenOS version 6.2.0, which released no later than March 2009.

Even after announcing the replacement of Dual_EC and ANSI X9.31 in ScreenOS 6.3 (due to release in the first half of 2016), Juniper said “the existing code using Dual_EC with self-generated basis points provides sufficient cryptology notwithstanding issues with the second ANSI X.9.31 random number generator.”

“We remain confident that the patched releases, which use Dual_EC, remediate both the unauthorized administrative access issue, as well as the VPN decryption issue,” said Derrick Scholl, the leader of the Juniper Networks Security Incident Response Team in a post.