Juniper discovers unauthorised code in firewalls

Partners say timing of announcement is unfortunate but are hopeful customers who implement patch will be okay

Juniper Networks has advised its customers to apply a patched release "with the highest urgency" after discovering unauthorised code in its firewalls, a development one of its distributors has described as "very unfortunate timing".

The vendor said in a statement yesterday that a recent internal code review had unearthed unauthorised code in ScreenOS that could allow an attacker to gain administrative access to NetScreen devices to decrypt VPN connections.

All NetScreen devices using ScreenOS 6.2.0r15 - which was released in 2012 - through to 6.2.0r18 and 6.3.0r12 through to 6.3.0r20 are impacted and require patching.

The announcement comes at a time when Juniper is trying to prove its credibility in the security market, said Niall McGrane, general manager at Juniper distributor Westcon Security.

Although McGrane said there is no need for panic, he advised customers to implement the patch immediately.

"If it's been around since 6.2, it's certainly been very low profile and if it was a used vulnerability, it would have hit somewhere by now," he said.

"Juniper's switching and routing is second to none. The third element of its pitch is around security and that has to be credible to provide a consolidated approach to networking. If they can do all three, they've got a unique play so the timing of this is very unfortunate when they have a raft of new security solutions coming out in Q1."

Meanwhile, Juniper partner SecureData this morning issued its customers with a threat advisory relating to the vulnerability.

SecureData chief executive Etienee Greeff said it was unlikely the issue would dent customer trust in the Juniper brand.

"Juniper isn't the first and won't be the last vendor to have a critical security vulnerability," he said. "It's more how you deal with the issue once it's discovered - how quickly you disclose it and how much information you share.

"Clearly it's distressing that a security device has a vulnerability in it, but I don't think that makes Juniper better or worse than any other security company."

Juniper absorbed a whopping $850m impairment charge relating to its "under-performing" security business in its fiscal 2014. In its most recent quarter, security revenues fell from $121.3m to $119.6m year on year, but rose for a second consecutive quarter excluding the divested Junos Pulse business.

Juniper said that the vulnerabilities are specific to ScreenOS and that it had no evidence that the SRC or other devices running Junos are impacted at this time.

"At this time, we have not received any reports of these vulnerabilities being exploited; however, we strongly recommend that customers update their systems and apply the patched releases with the highest priority," Juniper chief information officer Bob Worrall said.

"On behalf of the entire Juniper Security Response Team, please know that we take this matter very seriously and are making every effort to address these issues."