Following Juniper’s announcement that its ScreenOS platform contained unidentified code that it couldn’t trace, it took just three days for security researchers to reverse engineer the patch and find the backdoor.
According to a post on Rapid7 Community, the password was discovered by analyzing the difference between the patched NetScreen update released Friday and the previous version.
The password is cleverly disguised as a string that may look like a debug format used elsewhere in the code — << %s(un=’%s’) = %u, — which allows a user to bypass authentication via SSH and Telnet provided a valid username is provided.
As Juniper confirmed on Friday in its initial announcement, detecting the exploitation of the backdoor is incredibly difficult and in many cases impossible. Researchers, however, have created a set of rules that can be used to detect any connection via SSH to ensure all attempts are caught in a log.
The group also found that the backdoor didn’t appear in the software releases until sometime in 2013, despite Juniper’s claims it was unable to trace when the malicious code was added.
If your business has an affected NetScreen device that’s vulnerable, it’s worth updating immediately, as now that the password has been discovered exploitation attempts are likely to rapidly increase.