Juniper silent on claims that China was the source of compromise in ScreenOS

"Unauthorised code" in firewall operating system maintained in China

Juniper Networks has declined to respond to claims that "unauthorised code" that found its way into some of the company's networking hardware, effectively creating a 'back door', was injected into its products by someone working at the company's China-based facilities.

The company admitted on Thursday last week that it had found the code and immediately alerted customers. In the meantime, the company is rushing out updates to remove the code from affected hardware.

The unauthorised code has been present in various different versions of the company's ScreenOS operating system since at least August 2012, and would have enabled attackers to take total control of Juniper's NetScreen firewalls. It would also have enabled attackers to decrypt encrypted traffic running through those firewalls.

"During a recent internal code review, Juniper discovered unauthorised code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections," wrote Juniper CIO Bob Worrall in a security incident response report admitting the compromise. "Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS."

The company has subsequently suggested that the compromise is "more limited" than originally believed. An update to the company's advisory indicated that the "administrative access flaw" or CVE-2015-7755 "only affects ScreenOS 6.3.0r17 through 6.3.0r20", while CVE-2015-7756 - the VPN decryption compromise - "only affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20".

However, it still raises questions over how the code was injected into the operating system, and how it was able to remain undiscovered for more than three years.

Contacts to the press have suggested that ScreenOS, which Juniper acquired in 2004 via its $4bn acquisition of NetScreen, is maintained in China - although no harder evidence has emerged to suggest that it is the source of the compromise. The company opened its research and development facility in Beijing at the end of that year to "leverage the Chinese roots of NetScreen Technologies".

Computing has contacted Juniper to request further information and comment, but has yet to receive a response. In the meantime, the US Federal Bureau of Investigation is now investigating the matter - a move no doubt partly motivated by the widespread use of Juniper networking and firewall products in government and the military in the US, UK and elsewhere.