Join us at TNW Conference 2022 for insights into the future of tech →

The heart of tech

This article was published on December 21, 2015

    It took just three days to find the password for Juniper’s backdoored security devices

    It took just three days to find the password for Juniper’s backdoored security devices
    Owen Williams
    Story by

    Owen Williams

    Former TNW employee

    Owen was a reporter for TNW based in Amsterdam, now a full-time freelance writer and consultant helping technology companies make their word Owen was a reporter for TNW based in Amsterdam, now a full-time freelance writer and consultant helping technology companies make their words friendlier. In his spare time he codes, writes newsletters and cycles around the city.

    Following Juniper’s announcement that its ScreenOS platform contained unidentified code that it couldn’t trace, it took just three days for security researchers to reverse engineer the patch and find the backdoor.

    According to a post on Rapid7 Community, the password was discovered by analyzing the difference between the patched NetScreen update released Friday and the previous version.

    The password is cleverly disguised as a string that may look like a debug format used elsewhere in the code — << %s(un=’%s’) = %u, — which allows a user to bypass authentication via SSH and Telnet provided a valid username is provided.

    As Juniper confirmed on Friday in its initial announcement, detecting the exploitation of the backdoor is incredibly difficult and in many cases impossible. Researchers, however, have created a set of rules that can be used to detect any connection via SSH to ensure all attempts are caught in a log.

    The group also found that the backdoor didn’t appear in the software releases until sometime in 2013, despite Juniper’s claims it was unable to trace when the malicious code was added.

    If your business has an affected NetScreen device that’s vulnerable, it’s worth updating immediately, as now that the password has been discovered exploitation attempts are likely to rapidly increase.

    CVE-2015-7755: Juniper ScreenOS Authentication Backdoor [Rapid7]