Yesterday's news of "unauthorized code" that could enable untraceable backdoor access to VPN traffic on certain Juniper Networks firewalls is now being investigated by the FBI. That news comes from CNN, which said that a US government official described the vulnerability as "stealing a master key to get into any government building." There's no word yet on which government agencies or private companies may have been using the specific ScreenOS-powered devices affected, but that's what the Department of Homeland Security is now trying to find out.
Hmmm. It took @foxit 6 hours to find the password for the ssh/telnet backdoor in the vulnerable Juniper firewalss. Patch now— Ronald Prins (@cryptoron) December 18, 2015
The biggest question, of course, is how the code got into Juniper's software at all, and if it has ever been used. If someone knew about them, they'd not only be able to decrpyt VPN traffic on a particular network, but they could also scrub any log entry that would otherwise note the unauthorized access. It's also affecting discussions where some government officials insist on backdoor access to secure networks and services for law enforcement, even though security experts insist that inserting such vulnerabilities actually weakens security for everyone. For its part, Juniper Networks has already released patches closing the security holes, as well as an unrelated issue that could leave its firewalls open to DoS attacks, which you can find out more about here.
[Image credit: Simon Dawson/Bloomberg via Getty Images]