Researcher discovers Juniper ScreenOS backdoor password

Researcher HD Moore of the security company Rapid7 has found the password with which the backdoor discovered by Juniper can be used in his ScreenOS. The company recently discovered “unauthorized code” in the software used on NetScreen network equipment.

His release follows reports that “unauthorized code” was found in Juniper’s ScreenOS software during an internal code review. In a blog post he explains how he went about it. By comparing a patched version of the ScreenOS software with a vulnerable version he came across a string with the following characters: <<< %s(un='%s') = %u.

According to the researcher, this would be the password that could be used to log in to vulnerable NetScreen devices. According to him, the attacker only needed to know a valid username to evade telnet and ssh authentication. The password is unencrypted and, according to HD Moore, would be disguised as a debug format string so that it wouldn’t be noticed.

Another researcher’s finding is that, contrary to reports from Juniper itself, the entire 6.2.0 series would not be affected by this leak. However, the ability to intercept and decrypt VPN connections would be present. This was the second vulnerability identified last week. He then concludes that the first version of the affected software was released in 2012, but that the backdoor described in his blog post was not added until the end of 2013.

CNN reports that the FBI has launched an investigation into the Juniper incident. According to a spokesperson, the hack could have been carried out by a foreign government. In any case, it would not be the work of the US government itself, US government officials claim.