Juniper will launch one other patch for its backdoored firewalls
A few weeks after saying it discovered “unauthorized code” in firewalls that would’ve let somebody spy on safe VPN visitors, Juniper Networks has one other replace on the difficulty. Regardless of the discharge of a patch that it says makes the firewalls safe, Juniper will go a step additional with one other replace that swaps out the flawed Dual_EC random quantity generator within the affected ScreenOS software program for newer know-how, which can arrive within the first half of 2016. It has additionally accomplished an investigation of the supply code for that product, and its newer Junos OS-powered units, and haven’t discovered any proof of comparable code.
Along with eradicating the unauthorized code and making patched releases obtainable, Juniper undertook an in depth investigation of ScreenOS and Junos OS® supply code. A revered safety group was introduced in to help with this investigation. After an in depth evaluate, there isn’t any proof of another unauthorized code in ScreenOS nor have we discovered any proof of unauthorized code in Junos OS. The investigation additionally confirmed that it will be far more troublesome to insert the identical sort of unauthorized code in Junos OS.
Additional, after a evaluation of commentary from safety researchers and thru our personal continued evaluation, we have now recognized further modifications Juniper will make to ScreenOS to reinforce the robustness of the ScreenOS random quantity era subsystem.
We’ll exchange Dual_EC and ANSI X9.31 in ScreenOS 6.three with the identical random quantity era know-how at present employed throughout our broad portfolio of Junos OS merchandise. We intend to make these modifications in a subsequent ScreenOS software program launch, which shall be made obtainable within the first half of 2016.
Nonetheless, there are critical questions about this example haven’t been answered but. Why was Juniper utilizing the Dual_EC know-how in any respect, when it was recognized to have a safety flaw that’s extensively believed to have been inserted by the NSA? The place did the “unauthorized code” come from in any respect? Why is the existence of the backdoor enabled by a collection of curious modifications, detailed on this Wired report, with out which it would not have labored? What occurred in 2008?
Sadly, these questions will not be answered for now. A spokesperson for Juniper Networks stated the corporate has “nothing additional to share” past the weblog submit.