Juniper Networks announced last week that an internal code review revealed two critical security vulnerabilities in ScreenOS, the Linux derived operating system that powers approximately 26,000 Netscreen firewall devices on the internet today. The review uncovered two distinct issues; a backdoor in the VPN implementation that allows a passive eavesdropper to decrypt traffic and a second backdoor that allows an attacker to bypass authentication in the SSH and Telnet daemons, login as root, and completely compromise the device.
Analysis by security company Rapid7 has showed that anyone who knew the backdoor password common to all of the effected devices only had to know a valid username to log in using SSH and receive an interactive shell with the highest privileges. The attacker could then completely compromise the device and wipe out logs that would reveal the attack.
Juniper released a patch simultaneous with the announcement, but Network World reports that “bad actors are setting to work reverse engineering the flaw so they can exploit devices that users don’t patch, and also make a profit by selling their exploits to others.” According to John Pironti, president of IP Architects,a Juniper reseller and integrator, some users fail to apply critical patches for years and years after they have been issued. “It will be used for years,” he says. “This will not go away overnight.”
Speculation as to the source of the malicious code ranges from the NSA to the Chinese government. Reuters reports the Department of Homeland Security is investigating and CNN says the FBI is investigating as well.
This vulnerability points out the inherent risk of using point-to-point remote access methods like SSH on devices accessible over the internet. Point-to-point utilities put all privileged access management functions, including authentication, rights management and logging on the remote device where they can be compromised unnoticed. iTivity, by contrast, performs all privileged access management functions centrally, on servers run by the device manufacturer or its resellers. iTivity’s Linux core allows the agent running on the remote device to be readily ported to custom Linux distributions and included as an OEM component of the device. Using iTivity, SSH activity can be monitored and logged centrally, or SSH can be eliminated from the device altogether.