Juniper Firmware: New Crypto Flaw FoundSecurity Experts Question Claim that Patched Code Now Secure
Eight years after a crypto backdoor was added to the ScreenOS firmware that runs Juniper Networks' NetScreen firewalls, among other devices, the U.S. networking giant has promised to eliminate the vulnerability and moved to reassure customers that its products are now safe to use (see Juniper Devices Are Under Attack).
But Juniper, whose customers include everyone from AT&T and Verizon to NATO and the U.S. government, has yet to answer some tough questions about how ScreenOS ended up with three separate vulnerabilities, which researchers say could have been used to provide untraceable access to a range of Juniper devices, as well as decrypt VPN traffic (see Who Backdoored Juniper's Code?).
Juniper Networks says that it has conducted an in-depth review of both ScreenOS as well as its Junos OS firmware, which runs its routing, switching and security devices. "After a detailed review, there is no evidence of any other unauthorized code in ScreenOS nor have we found any evidence of unauthorized code in Junos OS," Juniper CIO Bob Worrall says in a Jan. 8 blog post.
For the code review, the company examined "hot spots" that someone might target, including all code relating to VPN capabilities, as well as encryption and authentication, Worrall says. "We also inspected our build environments for any evidence of tampering or unauthorized access.
To Juniper's credit, the company itself first flagged the discovery of some of the "unauthorized code" last month and issued related fixes for affected software. After that warning, HD Moore, chief research officer of security firm Rapid7, found that the flaws would allow an attacker to bypass the authentication in affected products, noting that the code flaw seemed to appear in ScreenOS in "late 2013." Meanwhile, researchers also found a VPN implementation flaw, which dates from 2012, could be used to decrypt traffic.
More Unauthorized Code?
Last week, however, researchers detailed a third flaw which could also be used to decrypt VPN traffic. That flaw now raises the possibility that up to three different intelligence agencies altered the ScreenOS firmware, says Nicholas Weaver, a researcher at the International Computer Science Institute and the University of California at Berkeley, via Twitter.
The latest revelation came to light after a team of leading cryptographers reviewed 48 versions of the ScreenOS firmware, and found that in late 2008 or early 2009, the company added "Dual_EC_DRBG" to ScreenOS.
"For those who don't immediately recognize that name, it's the pseudo-random-number generator that was backdoored by the NSA," says Bruce Schneier, CTO of incident response firm Resilient Systems, in a blog post. The backdoor was relatively simple: The random-number generator generated numbers that weren't quite random enough, meaning they could be deduced and related data decrypted.
Following the Snowden revelations, in April 2014 the U.S. National Institute of Standards and Technology stopped recommending the use of Dual_EC. At the time, Schneier noted that "nobody is actually using it."
Nobody, it now appears, except Juniper. A spokeswoman for the firm declined to comment on when Dual_EC was added, or why.
The NSA Backdoor Legacy
Juniper had previously claimed that despite known problems with Dual_EC not generating random-enough numbers to provide reliable crypto, its use of the ANSI X.9.31 random number generator mitigated the issue. But research presented at last week's Real World Cryptography Conference in Stanford, Calif., drawing on the work of a number of leading cryptographers, found that ScreenOS was tweaked in October 2008 to increase the size of the nonce - a one-time number that's meant to be random - from 20 bits to 32 bits, thus giving would-be attackers a way to also bypass Juniper's use of ANSI X.9.31.
Stephen Checkoway, who teaches computer science at the University of Illinois at Chicago, and who was one of those involved in this research, tells Wired that increasing the size of the nonce would make it easier for attackers to deduce what it was, and thus crack any data that had been encrypted, using that nonce.
"The more output you see [from the generator], the better [it is to crack the encryption]," Checkoway says. "Anything you see over 30 bytes is very helpful. Anything you see less than 30 bytes makes the attack exponentially harder. So seeing 20 bytes makes the attack basically infeasible. Seeing 28 bytes makes it doable, but it takes an amount of time, maybe hours. Seeing 32 bytes makes it take fractions of a second."
Multiple information security experts, including the operational security expert known as the Grugq, believe the use of Dual_EC wasn't accidental. For example, UC Berkeley's Weaver says that "after looking at the ScreenOS timeline, any reasonable assumption is this was deliberate backdoor."
This is clearly a crypto backdoor added by Juniper. pic.twitter.com/R6CIcojxpTï¿½ the grugq (@thegrugq) January 8, 2016
Juniper Will Deep-Six Dual_EC
In the wake of those revelations, Worrall has promised that Juniper will release a new version of ScreenOS before July 2016 that will entirely eliminate both Dual_EC and ANSI X9.31 from the code base. But he claims that so long as users upgrade to the latest version of SceenOS - released in December, when Juniper issued its first, public warning about the backdoors - that they will be protected from any related exploits, since Juniper is using its own approach to nonces, a.k.a. "basis points," with Dual_EC.
"We remain confident that [these] patched releases, which use Dual_EC, remediate both the unauthorized administrative access issue, as well as the VPN decryption issue," Worrall says. "We believe that the existing code using Dual_EC with self-generated basis points provides sufficient cryptology notwithstanding issues with the second ANSI X.9.31 random number generator."
Numerous security experts, however, have questioned the security of any Juniper code that continues to contain Dual_EC. "The rest of the world doesn't believe you until you tell us how you generated the basis points," Weaver says via Twitter.
I've quipped that you buy Huawei to make Chinese easy, Juniper to make NSA easy. Screen Dual_EC shows that is probably no joke.ï¿½ Nicholas Weaver (@ncweaver) January 8, 2016
Reached for comment, Juniper spokeswoman Danielle Hamel reiterated CIO Worrall's assurance that the latest versions of ScreenOS are cryptographically secure. "We strongly recommend that customers upgrade their impacted systems to the patched releases with high priority," she tells Information Security Media Group.