Juniper to remove flawed crypto from ScreenOS over the next two months

No further flaws found - but Juniper will excise all trace of the compromised code anyway

Network equipment giant Juniper is to excise its ScreenOS firewall operating system of the flawed ctyptographic functions that enabled attackers to compromise the security of the software.

ScreenOS is built into Juniper's firewall, virtual private networking (VPN) and traffic-shaping products as a specialised, hardened operating system intended to maximise their security. The company rushed out a patch after the flaws were discovered and publicised just before Christmas. The software came with Juniper's 2004 purchase of firewall appliance maker NetScreen.

According to Bob Worrall, senior vice president and chief information officer (CIO) of Juniper, no other flaws have arisen following an audit of the code - which also encompassed Junos, its FreeBSD-based operating system used in the company's networking hardware - but the company will re-write the offending sections of code anyway.

"In addition to removing the unauthorised code and making patched releases available, Juniper undertook a detailed investigation of ScreenOS and Junos OS source code," wrote Worrall in a blog posting. "A respected security organisation was brought in to assist with this investigation. After a detailed review, there is no evidence of any other unauthorised code in ScreenOS nor have we found any evidence of unauthorised code in Junos OS."

He added: "After a review of commentary from security researchers and through our own continued analysis, we have identified additional changes Juniper will make to ScreenOS to enhance the robustness of the ScreenOS random number generation subsystem.

"We will replace Dual_EC and ANSI X9.31 in ScreenOS 6.3 with the same random number generation technology currently employed across our broad portfolio of Junos OS products. We intend to make these changes in a subsequent ScreenOS software release, which will be made available in the first half of 2016."

The serious security flaws were found by Ralf-Philipp Weinmann, founder and CEO of German security research company Comsecuris, who suggested that the US National Security Agency might be either directly or indirectly responsible for the security breach. According to Weinmann, the code found in ScreenOS was a re-purposed decryption backdoor widely believed to have been created by the NSA. Weimann published his findings in a technical blog posting in late December.

Whoever was responsible for the breach exploited weaknesses that the NSA had, according to the leaked Edward Snowden documents, placed in an encryption algorithm called Dual_EC, which Juniper deployed to encrypt VPN traffic traversing its NetScreen firewalls. However, Juniper's engineers also mis-configured the technology. This enabled the attackers to exploit the weaknesses inherent in Dual_EC, which have been widely known for the best part of a decade.