In addition to removing the unauthorized code and making patched releases available, Juniper undertook a detailed investigation of ScreenOS and Junos OS® source code. A respected security organization was brought in to assist with this investigation. After a detailed review, there is no evidence of any other unauthorized code in ScreenOS nor have we found any evidence of unauthorized code in Junos OS. The investigation also confirmed that it would be much more difficult to insert the same type of unauthorized code in Junos OS.
Further, after a review of commentary from security researchers and through our own continued analysis, we have identified additional changes Juniper will make to ScreenOS to enhance the robustness of the ScreenOS random number generation subsystem.
We will replace Dual_EC and ANSI X9.31 in ScreenOS 6.3 with the same random number generation technology currently employed across our broad portfolio of Junos OS products. We intend to make these changes in a subsequent ScreenOS software release, which will be made available in the first half of 2016.
Still, there are serious questions about this situation have not been answered yet. Why was Juniper using the Dual_EC technology at all, when it was known to have a security flaw that is widely believed to have been inserted by the NSA? Where did the "unauthorized code" come from at all? Why is the existence of the backdoor enabled by a series of curious changes, detailed in this Wired report, without which it wouldn't have worked? What happened in 2008?
Unfortunately, those questions won't be answered for now. A spokesperson for Juniper Networks said the company has "nothing further to share" beyond the blog post.