A backdoor password that, according to security company Rapid7, was likely chosen to appear as a debug string, has been found in some versions of ScreenOS that were vulnerable to a remote access issue disclosed by Juniper last week.
HD Moore, chief research officer at Rapid7, said in a blog post that looking at the differences between the patched and vulnerable versions of ScreenOS, with particular attention to strcmp calls, showed that a default backdoor password existed, namely "<<< %s(un='%s') = %u".
"If you want to test this issue by hand, telnet or ssh to a Netscreen device, specify a valid username and the backdoor password," Moore wrote. "If the device is vulnerable, you should receive an interactive shell with the highest privileges."
Juniper announced last week that following an internal code review, it had discovered two critical security vulnerabilities in ScreenOS. The first would allow an attacker to decrypt VPN traffic and leave no trace of their actions, while the second allowed for the complete compromise of a device via an unauthorised remote access vulnerability over SSH or telnet.
At the time, Juniper had said that all NetScreen devices running ScreenOS 6.2.0r15 through 6.2.0r18, and 6.3.0r12 through 6.3.0r20 were affected by both issues. However, the networking hardware maker has since clarified that while those unpatched versions are vulnerable to the VPN bug, the remote access bug is now said to impact ScreenOS 6.3.0r17 through 6.3.0r20.
Rapid7 was able to confirm that versions 6.3.0r17 and 6.3.0r19 were vulnerable to the backdoor password. According to the security company, approximately 26,000 internet-facing Netscreen devices exist with SSH open.
Over the weekend, questions were raised about whether the pseudo-random number generator (PRNG) using ScreenOS was comprised in much the same manner as the infamous NSA-backed Dual_EC_DRBG backdoor.
A Juniper support page stated that ScreenOS does use Dual_EC_DRBG, but it claims to do so in a way that "should not be vulnerable".
Google security engineer Adam Langley questioned why the Dual_EC_DRBG PRNG was used in the first place, in a blog post where he collected some Twitter-detective work on changes between Juniper's patched and unpatched versions of ScreenOS, particularly for changed encryption constants.
"In short, they used a backdoored RNG, but changed the locks. Then this attack might be explained by saying that someone broke in and changed the locks again," Langley wrote with emphasis in the original.
"We're not sure that's actually what happened, but it seems like a reasonable hypothesis at this point. If it's correct, this is fairly bananas.
"Assuming this hypothesis is correct, then, if it wasn't the NSA who did this, we have a case where a US government backdoor effort (Dual-EC) laid the groundwork for someone else to attack US interests."