Not One ... But Two Backdoors to choose from!
I have just been down in London to present evidence on my specialist subject - cryptography - on the Investigatory Powers Bill [here] in the House of Commons, and there was lots of talk over the addition of "bulk access" and "backdoors". So it's not often that a company announces that they have not one ... but two backdoors on their products. If you're interested in backdoors in software, here an overview:
The two vulnerabilities are:
- CVE-2015-7755: Juniper ScreenOS Authentication Backdoor. With this ANY user name can with a password of "<<< %s(un='%s') = %u".
- CVE-2015-7756 (VPN decryption) Mitigation. [Here]. This allow for the cracking of encrypted cipher streams.
Background
At one time there was only one company on the block when it came to network: Cisco. But another one came along a picked off some core networking functions, and gave us a configuration method that just seemed to be more structured than Cisco IOS. That company was Juniper. Their boom time happened in 2011 when their stock and market share rocketed:
while Cisco saw their peak in 2000 and have generally stabilized since then:
While the networking boom is now over, there is a drift upwards as companies start to invest in improved connectivity, especially in security devices and in load balancing.
Juniper is now the second largest vendor for networking equipment after Cisco, and the firewalls which contain the backdoors are uses the ScreenOS software, and which was initially designed by NetScreen (acquired in 2004 by Juniper). Overall the backdoors have hit Juniper's share price, with a drop of almost 5% in a day.
Backdoor password
So it was a shock this week that Juniper announced that there were two backdoors on their devices, and which allowed intruders to gain administrator access and also decrypt encrypted content. It was the kind of shock that has not been seen since the asleep script was released, and which could crack most Cisco Wi-fi access points which used the LEAP authentication method.
With backdoors in cryptography being a hot topic, on Thursday, Juniper revealed that it had traced “unauthorized” code within its ScreenOS operating system on some of its firewalls, and which allowed an intruder to take complete control of Juniper's NetScreen firewalls using a hard-wired password. This would allow them to decrypt all the encrypted traffic for VPN connections. There is a patch for this, but intruders can now determine the required password - which has been hard-wired into the code - by examining the ARM code used in the backdoor:
The strange thing is that the password is "<<< ." and looks like standard C++ compiled code. It is a bit like adding:
password = "let a = b + 1"
The following is a sample login:
$ ssh system@192.168.1.1
Password: <<< %s(un='%s') = %u
Analysts have already managed to identify the password in just six hours. Overall the logs would just show that there was a successful login with "system":
In 2013, Der Spiegel outlined the FEEDTHROUGH method which maintained a backdoor onto Juniper firewalls. This approach was different to the methods outlined in the latest backdoors, as it was a post-compromise.
Random number generator backdoor
Along with this a backdoor was found for decrypting traffic from VPNs created by a Juniper firewall. The company may have also used Dual EC (Elliptic Curve) DRBG (Deterministic Random Bit Generator ) for generating the random numbers required to create VPN tunnels. This method, which was promoted by the NSA, has known weaknesses, and can be cracked.
The possible backdoor in Dual EC DRBG has been known about since 2004, and the team who worked on it had the chance to plug the gap but failed too. It thus allows law enforcement agencies to crack SSL/TLS encrypted traffic which used the method for random number generation. It was thus assumed that no-one would use the method, but, in Juniper's case, it has been found in some of their devices.
In 2013, Edward Snowden showed NSA memos which indicated that the NSA had been the sole editor of the standard, whereas NIST responded that it did not deliberately weaken any cryptography standard. The following year, NIST recommended that companies stop using it, and withdrew it from its draft guidance on random number generation. In 2013, also, OpenSSL was found to be implementing the method, and which allowed TLS/SSL connections to be decrypted.
If you're interested, here's a simple random number generator:
Conclusions
Firewalls supporting VPN access have long been a target for nation-state actors, and will continue to be, as they tunnel traffic from one place to another. Adding backdoors is one way that intruders can gain access to secret communications, but eventually it is likely to be found, as no-one can hide the running code.
The NetScreen firewalls have been running for eight years now, so there are worries that these firewalls have been monitored over this period. No-one is sure if Juniper spotted this with their own code review, or whether they were tipped-off. Overall it is a sloppy implementation for a nation state, as the password was hard-wired and fairly easy to spot.
Overall the company announced two backdoors, one for the VPN access and another for the administrator password access, which hints towards the two not being connected.
So did Juniper add the backdoors intentionally or did it happen without them knowing? Like it or not, cryptography is in the firing line! Was it just another coder who didn't quite know that they were implementing a weak random number generator, or who wanted a way back into the device?
I know there are deep social and political issues here, but as a "techie" I find the whole area of backdoors fascinating:
and here is my "simple" Juniper simulator: