Juniper deletes elements of its ScreenOS software that showed leaks

Network equipment manufacturer Juniper is going to replace the random number generators in ScreenOS 6.3 with other software. Existing technologies Dual_EC and Ansi X9.31 were found to be highly vulnerable to outside attacks last December.

The American Juniper announces the news via a blog post. The two software elements will be replaced by the same random number generator that Juniper already deploys with Junos OS, another operating system for the company’s network equipment. That’s not to say that the current versions of ScreenOS and the two components in question are still vulnerable at this point; Juniper published the necessary updates immediately after the vulnerabilities were published. Nevertheless, the company is moving away from the code. This update should take place in the first half of 2016.

On December 18, 2015, Juniper announced that it had discovered “unauthorized code” in the two software elements of its ScreenOS. This code made it possible for an attacker to remotely decrypt VPN traffic and gain administrative access on select Juniper devices. The company then indicated that it did not know where the code came from. The vulnerable software has been present on the company’s network equipment since 2012, but there is no insight into how much the backdoors have been used in practice.

Although the code would show traces of government action, it is also not clear which party is behind it. Juniper would be of interest to the intelligence services NSA and GCHQ because of the distribution of Juniper devices around the world and the amount of ssl vpn services the company provides. However, there is no direct evidence that the intelligence services are behind the backdoors.