Juniper Networks updates software in wake of security flaws

Juniper Networks updates software in wake of security flaws

Fixing the vulnerabilities discovered in Juniper Networks equipment is proving to be a multistep affair.

After unauthorized code was found in the company's Netscreen firewall that could decrypt traffic sent over virtual private networks, Juniper first issued patched releases for the latest versions of ScreenOS, the affected software, in order to remove unauthorized administrative access and address VPN decryption.

After further investigation, however, the company also decided to replace the Dual_EC random number generator in NetScreen firewalls with the random number generation technology already used in other Junos OS products. The changes will be made starting with new ScreenOS 6.3 software and future releases the first half of this year.

Juniper CIO Bob Worrall said the security of Junos OS has been checked using source code in “hot spots,” where similar code found in ScreenOS could be found, including VPN code, encryption code and authentication code.

Ars Technica reported that Dual_EC has been known to contain security weaknesses since 2007 and is suspected of having a backdoor, inserted by the National Security Agency, that allows VPN decryption.

Further questions also rose from research  by the University of Illinois at Chicago’s Stephen Checkoway, which shows that separate code changes made in 2008, 2012 and 2014 made it easier for adversaries to break the NetScreen firewall encryption, Ars Technica explained.

These software flaws have become a source of concern for the federal government, with the Department of Defense warning contractors of the vulnerability, which could compromise affected systems.  

According to Juniper, the investigation of the origin of the unauthorized code is ongoing.

About the Author

Amanda Ziadeh is a Reporter/Producer for GCN.

Prior to joining 1105 Media, Ziadeh was a contributing journalist for USA Today Travel's Experience Food and Wine site. She's also held a communications assistant position with the University of Maryland Office of the Comptroller, and has reported for the American Journalism Review, Capitol File Magazine and DC Magazine.

Ziadeh is a graduate of the University of Maryland where her emphasis was multimedia journalism and French studies.

Click here for previous articles by Ms. Ziadeh or connect with her on Twitter: @aziadeh610.

inside gcn

  • When cybersecurity capabilities are paid for, but untapped

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group