You might not know what Juniper does, but you’ve probably used its hardware at some point as you surf the web unknowingly.
The company today admitted that at some point in the past, an unauthorized party added code to its ScreenOS firmware used by NetScreen devices, which could allow attackers to gain administrative access to devices as well as decrypt VPN connections.
NetScreen was acquired by Juniper all the way back in 2004 as it looked to bolster its network and application security appliance offering. Many of its products perform packet inspection as network traffic travels to detect malicious intent before it reaches end users.
It’s a huge admission, even if Juniper is trying to downplay it — though it’s impressive it disclosed it at all. The company didn’t say whether it knows who the unauthorized party is, or if it was an internal security failure rather than a breach of the company itself.
The fact that Juniper doesn’t know — or won’t admit — when the software was added or by whom is cause for concern, as it may have existed for years before detection.
Considering the NSA’s active spy programs, it’s easy to connect the dots between this attack and the spy agency’s FEEDTROUGH program, which “burrows into Juniper firewalls and makes it possible to smuggle other NSA programs” into a network.
Juniper is remaining tight-lipped about the attack, though its knowledgebase article admits that “there is no way to detect that this vulnerability was exploited” and that it can lead to “complete compromise” of the affected system.
The company has released a patch for the vulnerability for NetScreen devices, but given there’s no way to detect the attack and Juniper only just realized this code exists, it’s a big ask for customers to trust that there isn’t other code it doesn’t know about as well.
➤ Important Juniper Security Announcement [Juniper Forums]