Juniper's backdoor password disclosed, likely added in late 2013

All an attacker needs is the password and a valid username

juniper netscreen 5200 2
Credit: Juniper

Rapid7's Chief Research Officer, HD Moore, has posted some notes on the Juniper ScreenOS incident. After analyzing the patches released by Juniper, Moore's team discovered the backdoor password that enables the Telnet and SSH bypass.

In a blog post on Rapid7's community portal, Moore said that a quick Shodan search identified 26,000 public-facing Netscreen devices with SSH open. Considering the severity of the issues disclosed by Juniper on December 18, his team started digging.

Last week, Juniper said that an internal audit uncovered unauthorized code that was added to ScreenOS. The added code created two security issues. The first is an authentication bypass, and the second issue would allow an attacker to monitor and decrypt VPN traffic.

To address the problems created by the added code, Juniper released new versions of their ScreenOS, but older versions of the firmware were rebuilt with the backdoor removed. Moore's team analyzed the rebuilt updates and discovered backdoor password. As part of their analysis efforts, the decompressed binaries have been made available on GitHub.

As for the backdoor password itself, it was clearly visible in a "strcmp" call in the old firmware:

<<< %s(un='%s') = %u

"This password allows an attacker to bypass authentication through SSH and Telnet, as long as they know a valid username. If you want to test this issue by hand, telnet or SSH to a Netscreen device, specify a valid username, and the backdoor password. If the device is vulnerable, you should receive an interactive shell with the highest privileges," Moore wrote.

The post also made an interesting observation. While Juniper claimed versions 6.2.0r15 to 6.2.0r18 and 6.3.0r12 to 6.3.0r20 were affected by the backdoor issue, the authentication bypass isn't present in older versions of ScreenOS.

"We were unable to identify this backdoor in versions 6.2.0r15, 6.2.0r16, 6.2.0r18 and it is probably safe to say that the entire 6.2.0 series was not affected by this issue (although the VPN issue was present). We were also unable to identify the authentication backdoor in versions 6.3.0r12 or 6.3.0r14," Moore explained.

Moore's team were also able to confirm that versions 6.3.0r17 and 6.3.0r19 were affected. It's interesting, Moore said, because while the first affected version of ScreenOS was released in 2012, the authentication backdoor didn't seem to get added until a release in late 2013.

Detecting an attack against the authentication bypass is said to be hopeless, because an attacker could easily delete the logs. However, any logs sent to a central logging server or SIEM would be captured and can be used to trigger alerts.

Fox-IT created Snort rules to detect access with the backdoor password.

Rapid7 is the second company to detect the backdoor password, Fox-IT found it first, but didn't disclose it publicly. If these two firms were able to find it with ease, it's highly likely that criminals have as well.

This will be a busy week for IT teams across the globe, because Juniper is everywhere.

It still isn't clear where the rogue code in ScreenOS came from, but that is a question to answer later. For now, the most important task is patch management and getting the updates pushed to vulnerable devices.

Cybersecurity market research: Top 15 statistics for 2017