Juniper Networks has claimed that a security audit conducted after backdoor code was discovered in its ScreenOS software has revealed no additional unauthorized code, but it is ditching the Dual_EC crypto technology in the product anyway.
The networking giant claimed back in December that an internal code review uncovered unauthorized code which could allow attackers to gain remote control of NetScreen devices.
It also found a separate flaw which could allow “a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic.”
Despite promptly issuing patches for the issues, Juniper decided to undertake a detailed investigation of the ScreenOS and Juno OS source code, CIO Bob Worrall explained in a blog post.
“After a detailed review, there is no evidence of any other unauthorized code in ScreenOS nor have we found any evidence of unauthorized code in Junos OS,” he continued. “The investigation also confirmed that it would be much more difficult to insert the same type of unauthorized code in Junos OS.”
It wasn’t all plain sailing, though. Juniper has decided to get rid of its current random number generation tech - Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG).
“Further, after a review of commentary from security researchers and through our own continued analysis, we have identified additional changes Juniper will make to ScreenOS to enhance the robustness of the ScreenOS random number generation subsystem,” wrote Worrall.
“We will replace Dual_EC and ANSI X9.31 in ScreenOS 6.3 with the same random number generation technology currently employed across our broad portfolio of Junos OS products. We intend to make these changes in a subsequent ScreenOS software release, which will be made available in the first half of 2016.”
Juniper said it is still investigating the origin of the unauthorized code.
At around the same time as the security alert, a leaked document from the Edward Snowden trove appeared to reveal that GCHQ, in co-operation with the NSA, had “acquired” the means to exploit security vulnerabilities in 13 router models.
Although that document was dated February 2011, it suggests a link between the intelligence agencies and the security holes revealed by Juniper last month.