Juniper Networks updates software in wake of security flaws
- By Amanda Ziadeh
- Jan 13, 2016
Fixing the vulnerabilities discovered in Juniper Networks equipment is proving to be a multistep affair.
After unauthorized code was found in the company's Netscreen firewall that could decrypt traffic sent over virtual private networks, Juniper first issued patched releases for the latest versions of ScreenOS, the affected software, in order to remove unauthorized administrative access and address VPN decryption.
After further investigation, however, the company also decided to replace the Dual_EC random number generator in NetScreen firewalls with the random number generation technology already used in other Junos OS products. The changes will be made starting with new ScreenOS 6.3 software and future releases the first half of this year.
Juniper CIO Bob Worrall said the security of Junos OS has been checked using source code in “hot spots,” where similar code found in ScreenOS could be found, including VPN code, encryption code and authentication code.
Ars Technica reported that Dual_EC has been known to contain security weaknesses since 2007 and is suspected of having a backdoor, inserted by the National Security Agency, that allows VPN decryption.
Further questions also rose from research by the University of Illinois at Chicago’s Stephen Checkoway, which shows that separate code changes made in 2008, 2012 and 2014 made it easier for adversaries to break the NetScreen firewall encryption, Ars Technica explained.
These software flaws have become a source of concern for the federal government, with the Department of Defense warning contractors of the vulnerability, which could compromise affected systems.
According to Juniper, the investigation of the origin of the unauthorized code is ongoing.
Amanda Ziadeh is a former reporter/producer for GCN.