# “Unauthorized code” in Juniper firewalls



## gofer_touch (Dec 18, 2015)

I guess many of you may have already seen this. It will be interesting to see how they deal with this.

http://arstechnica.com/security/201...per-firewalls-decrypts-encrypted-vpn-traffic/


----------



## wblock@ (Dec 18, 2015)

Oko said:


> FreeBSD Jail infrastructure has also well known vulnerabilities which can be used to unlock Playstation 4?


Unless that is somehow related, please take it to a different thread.


----------



## phoenix (Dec 18, 2015)

gofer_touch said:


> I guess many of you may have already seen this. It will be interesting to see how they deal with this.
> 
> http://arstechnica.com/security/201...per-firewalls-decrypts-encrypted-vpn-traffic/



Note:  This is in their ScreenOS-based devices (Juniper NetScreen), which have been end-of-lifed for 7-odd years now, although they are still offering support for existing boxes.  And not in their JunOS-based devices (the Juniper firewalls and routers that you can actually buy).

AFAIUI, ScreenOS isn't based on FreeBSD, only their JunOS is.


----------



## wblock@ (Dec 19, 2015)

Given source control, it should be easy enough to find out who committed the code.  It will be interesting to see whether that is made public.


----------



## Phishfry (Dec 19, 2015)

Sure are making the case in point for an Open Source Firewall...


----------



## Phishfry (Dec 19, 2015)

Not to worry CIPSA will save us all.
How Ironic now Juniper is required to report and cooperate with the NSA that they got hacked...

The cynic in me says they just got legal indemnification for this.


----------



## Crivens (Dec 21, 2015)

Yep, one of the first questions will be "How did you find out about us- aeh, 'them'?"
But make no mistake, Juniper takes the hard road to publically show this is happening. What about the rest of the vendors? They are safe, right? No one backdoored them?


----------



## gofer_touch (Dec 21, 2015)

After reading multiple threads about this issue, I can't understand why a major institution/company would want to go with proprietary options for something as sensitive as firewalls and networking devices.


----------



## Oko (Dec 21, 2015)

gofer_touch said:


> After reading multiple threads about this issue, I can't understand why a major institution/company would want to go with proprietary options for something as sensitive as firewalls and networking devices.


That is not how the real world operates in U.S.


----------



## Beastie7 (Dec 21, 2015)

gofer_touch said:


> After reading multiple threads about this issue, I can't understand why a major institution/company would want to go with proprietary options for something as sensitive as firewalls and networking devices.



There's a multitude of reasons. Keep in mind that not all proprietary products are bad. However, what is more favorable for this part of infrastructure that open source provides is transparency and open auditing. Commodity networking gear is still an unsolved problem.


----------



## wblock@ (Dec 21, 2015)

gofer_touch said:


> After reading multiple threads about this issue, I can't understand why a major institution/company would want to go with proprietary options for something as sensitive as firewalls and networking devices.


As with anything else, it's a combination of reasons.  Many, many people are not really concerned with security so much as having someone to blame.  Set up your own security, and you are responsible.  Buy some prepackaged thing, and the perception is that the vendor is responsible.  (People love service contracts for the same reason.  More money, more downtime than spare equipment, but "not our fault".)

Oko, please feel free to explain what you mean.  The US is not the only country with business and government corruption.


----------



## shepper (Dec 21, 2015)

wblock@ said:


> The US is not the only country with business and government corruption.



At least U.S. citizens are, to some immeasurable degree, aware.  That said, I have been notified twice in the past year that my information at The U.S Department of Personnel Management and at my Health Insurance provider, was downloaded.  The mitigation, from the .gov and the .com, was laughable.   Go to another website and enter my personal data (ie put it all in one place), so that this new entity, who I know nothing about, can monitor my data and thereby "protect" me.



Edited for clarity and punctuation.


----------



## Oko (Dec 21, 2015)

wblock@ said:


> Oko, please feel free to explain what you mean.  The US is not the only country with business and government corruption.


Who was talking about corruption? You think US government will trust bunch of OpenBSD bozos like me for their firewall. Check out this and tell me if you see any BSD
http://www.disa.mil/network-services/ucco
https://www.fedramp.gov/marketplace/compliant-systems/

Now go and play with bhyve(8).


----------



## gofer_touch (Dec 22, 2015)

Oko said:


> Who was talking about corruption? You think US government will trust bunch of OpenBSD bozos like me for their firewall. Check out this and tell me if you see any BSD
> http://www.disa.mil/network-services/ucco
> https://www.fedramp.gov/marketplace/compliant-systems/
> 
> Now go and play with bhyve.



Well the European Parliament's researchers surely have enough faith in OpenBSD to mention them in a report designed to increase awareness about information security and increase investment in open source security tools.

https://joinup.ec.europa.eu/community/osor/news/ep-study-“eu-should-finance-key-open-source-tools”

(See pages 52 and 53 of part 1 of the report).

For convenience:

"OpenBSD is a free, open-source multi-platform 4.4 Berkeley Software Distribution (BSD)-based UNIX-like operating system. Proactive security and cryptography are two of the features highlighted in the product together with portability, standardisation and correctness. Its built-in cryptography and packet filter make OpenBSD suitable for use in the security industry, for example on firewalls, intrusion-detection systems and VPN gateways"


----------



## Oko (Dec 22, 2015)

I have being living for over 20 years in U.S. I have no idea what the
Bruxelles' Politburo things about OpenBSD but I can tell you that U.S. government agencies have full faith in the technical competence of U.S. companies (IBM, HP, Oracle, Google, Microsoft, and similar), and U.S. based open source projects (RedHat, Python etc), often sponsored by DARPA and similar agencies, to provide software solution for military and civilian use.

If there is a hole in Juniper or Cisco firewall it is there for the reason not because people are not competent to plug it. Also in U.S. any software product without large legal entity which can be sued in the case something goes wrong is essentially non usable except for the research purposes or a base for proprietary products.

This is U.S. MBA class 101.


----------



## Crivens (Dec 22, 2015)

Oko said:


> Who was talking about corruption? You think US government will trust bunch of OpenBSD bozos like me for their firewall.


I thought that mentioning of U.S. and "real world" in one sentence was stretching it a bit  From the outside, the political U.S. looks like a crash derby with clown cars. But then, same thing here 

Most of the politicans in the U.S., same as elsewhere, will trust those who will line their pockets. This is what they understand. That other stuff is nerd stuff. The point with suing someone is the real reason, I think. Worse than "my fault" is to explain to the beancounters that no one is there to pay for the fallout.

Also, with open source, there still is the nimbus of arcane invocations and insider knowledge. You need to understand it _yourself_. And that is not for those who try to exchange money for "not my problem".

Again, I do not belive one ms that there are no backdoors in other equipment, be it from the U.S. or China or Andorra. Juniper disclosed the bug in some EOL part, which I think is some kind of whistle blowing on their end. And I think it will turn out to be the fault of two or three rouge engineers. As always.


----------



## Oko (Dec 22, 2015)

gpatrick said:


> It also could have been the Chinese, North Koreans, Russians, Iranians....
> 
> Everyone assumes the NSA when those other nations have as much or more reasons to circumvent security devices.


Or Israel, Japan, South Korea, Germany and alike. 

If I am in North Korea sitting in my rice paddy hoping to harvest enough rice to survive next winter hacking your stupid corporate firewall to get the secrets for you latest iPhone gadget is not very high on my agenda.


----------



## Beastie7 (Dec 22, 2015)

This is a business opportunity for pfSense. Get'rr done!


----------



## drhowarddrfine (Dec 22, 2015)

Yeah, I find it interesting to see on the usual places to see the immediate jump to it being the NSA without consideration that select other countries are just as likely, if not more so, to do the same thing.


----------



## Phishfry (Dec 22, 2015)

Wow. After all that Snowden showed you still have doubts?
How much is the USA black budget?


----------



## Beastie7 (Dec 22, 2015)

You're opening up a bad can of worms man.. lol.


----------



## Phishfry (Dec 22, 2015)

I guess the truth of the matter is we will never know.
When you live under a secret government you will inevitably end up with conjecture.


----------



## ronaldlees (Dec 23, 2015)

Oko said:


> Who was talking about corruption? You think US government will trust bunch of OpenBSD bozos like me for their firewall. Check out this and tell me if you see any BSD
> http://www.disa.mil/network-services/ucco
> https://www.fedramp.gov/marketplace/compliant-systems/
> 
> Now go and play with bhyve.



I think Bhyve is much better idea.   I don't have the temerity to click either of those links today, since I may want to fly someplace someday. 

I wonder how big those codebases are?  Stuff today is so full of bagatelle, such that it provides the nice tall grass wherein the gaff or sploit may hide.  I like skinny stuff, so I can see the bumps sticking out (Like FreeBSD's base which expands to 285 MB, NAS4Free to 85MB, FreeBSD hangs 750 modules on the belt, versus 50 for NAS, etc, etc.  Securing anything in an ocean of code is impossible, so IT (smartly) takes the option that lets them blame someone else.


----------



## Crivens (Dec 25, 2015)

gpatrick said:


> It also could have been the Chinese, North Koreans, Russians, Iranians....
> 
> Everyone assumes the NSA when those other nations have as much or more reasons to circumvent security devices.


I think the list of entities  not interested in doing this is much shorter... But as ronaldlees already (kind of) stated - you want to fly someplace sometime. And neither the chinese nor the iranians are standing here at the airport to deny me the flight, based on stuff fished off the internet about what I did there.


----------



## Phishfry (Apr 9, 2016)

They got it all fixed up now.
https://threatpost.com/juniper-completes-removal-of-dual_ec/117297/


----------



## Uniballer (Apr 9, 2016)

This won't really be over until every Juniper firewall has been upgraded to remove the "unauthorized code".  That is, probably never.


----------



## Uniballer (Apr 19, 2016)

New analysis and continued discussion on this breach and its aftermath over at Schneier on Security.


----------

