A couple of weeks after announcing it found "unauthorized code" in firewalls that could've let someone spy on secure VPN traffic, Juniper Networks has another update on the issue. Despite the release of a patch that it says makes the firewalls secure, Juniper will go a step further with another update that swaps out the flawed Dual_EC random number generator in the affected ScreenOS software for newer technology, which will arrive in the first half of 2016. It has also completed an investigation of the source code for that product, and its newer Junos OS-powered devices, and have not found any evidence of similar code.
In addition to removing the unauthorized code and making patched releases available, Juniper undertook a detailed investigation of ScreenOS and Junos OS® source code. A respected security organization was brought in to assist with this investigation. After a detailed review, there is no evidence of any other unauthorized code in ScreenOS nor have we found any evidence of unauthorized code in Junos OS. The investigation also confirmed that it would be much more difficult to insert the same type of unauthorized code in Junos OS.
Further, after a review of commentary from security researchers and through our own continued analysis, we have identified additional changes Juniper will make to ScreenOS to enhance the robustness of the ScreenOS random number generation subsystem.
We will replace Dual_EC and ANSI X9.31 in ScreenOS 6.3 with the same random number generation technology currently employed across our broad portfolio of Junos OS products. We intend to make these changes in a subsequent ScreenOS software release, which will be made available in the first half of 2016.
Still, there are serious questions about this situation have not been answered yet. Why was Juniper using the Dual_EC technology at all, when it was known to have a security flaw that is widely believed to have been inserted by the NSA? Where did the "unauthorized code" come from at all? Why is the existence of the backdoor enabled by a series of curious changes, detailed in this Wired report, without which it wouldn't have worked? What happened in 2008?
Unfortunately, those questions won't be answered for now. A spokesperson for Juniper Networks said the company has "nothing further to share" beyond the blog post.