At the end of December last year Juniper Networks discovered that some malicious actors had added code to the firmware and software that run their routers, creating a back door that would allow attackers to access the router remotely, assume administrator privileges, and view and decrypt VPN traffic running through the routers. As the story unfolded, it turns out that Juniper was using a random number generator from NIST, and that the NSA had contributed to the code development. And maybe installed a backdoor. Juniper is removing this code element.
Juniper’s advisory said:
“During an internal code review, two security issues were identified.
Administrative Access (CVE-2015-7755) allows unauthorized remote administrative access to the device. Exploitation of this vulnerability can lead to complete compromise of the affected device.
VPN Decryption (CVE-2015-7756) may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic. It is independent of the first issue.
There is no way to detect that this vulnerability was exploited.”
Logrhythm has an excellent technical explanation of the issue on their blog.
These routers have been deployed by many governmental agencies and large enterprise businesses. Losses at this point are unknown. Juniper has release a patch to remove the code and close the backdoor, and is advising their customers that this critical update be administered immediately.
Cisco Systems, another major networking device manufacturer, has initiated its own investigation into their own code base to see if their equipment has been similarly compromised.
So what is a router exactly? A router is a device that sits between two or more dissimilar networks and forwards data packets to the correct network. Typically, the company that provides your Internet access is running their operations on a network with addresses that are different from, and incompatible with, the network addresses you are using on your LAN or internal network. A router provides a way for these two networks to communicate. Typically, we consider a router and “edge” device, as it sits at the edge of our business network.
So the ability to access your router means an attacker has pretty much gained unfettered access to your entire network. They certainly are in a great position to monitor all traffic entering and leaving the LAN. So this code flaw represents an huge security hole. If this affects your network, and you haven’t’ fixed it by now, well – why not?
Wednesday, we will look at issues with consumer Internet routers. The situation is not much better, as we will see.
- Juniper advisory
- Silicon Beat
- Help Net Security
- Logrhythm Blog
- Juniper blog post from 1-8-2016
- TechRepublic – Juniper removes NSA code
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com