Tag Archives: Juniper

Cisco, Juniper Hardware Flaw May “Brick” Firewalls in 18-36 Months

First it was Cisco; now it is Juniper and apparently there are a number of other vendors who will be affected by this flaw.

While no one is saying who the vendor of the flawed hardware inside Cisco and Juniper products is, it is believed that it is Intel’s Atom C2000 chip.  Intel has acknowledged problems with that chip which seem to match the description that Cisco and Juniper are saying exists in their hardware.  Stay tuned.

Cisco has set aside $125 million to pay for repairs for faulty equipment.

So what, exactly, is the problem?

Juniper and Cisco are saying that there is a flaw in a hardware clock component that is used in their switches, routers and security devices that may cause the device to crash and die starting about 18 months.  The device is not rebootable and not recoverable.  It is, as we geeks like to say, “bricked”.

Cisco says certain models of its series 4000 Integrated Service Routers, ASA security devices, Nexus 9000 switches and other devices are affected.

Juniper said that 13 models of switches, routers and other products are affected.

Juniper says it is not possible to fix the devices in the field.  They also said that they started using this component in January 2016, so the 18 month lifetime is rapidly approaching.  They say they are working with affected customers.

HP has announced that some of their products use the Intel C2000 and may be affected as well.   Expect more manufacturers to make announcements as they analyze their product lines.

For users, it seems like if your product is under warranty or a service contract dated as of November 16, 2016, Cisco will replace the device proactively.  They say that they expect the failure rate to have limited failures at 18 months, but a more significant failure rate as it reaches the three year age range.

For customers that are not under warranty or a service contract, well ……… I think you may be on your own.

If you have products that use this component, you should work with your suppliers to understand the risk and figure out how to mitigate it.


Information for this post came from Network World and CIO.


CERT Releases Threat Advisory On Firewalls

Last month a hacker group known as The Shadow Brokers released a series of exploits that they said belong to an NSA contractor that has been call the Equation Group.

Whether the Equation Group is real and whether they are a vendor of exploits to the NSA or not is really not terribly relevant in the big picture.

What is relevant is that they released a whole bunch of exploits that are being used – and likely, at least some of them have been used for a while – to silently break into corporate networks.  And probably government networks too.  The Exploits attack Cisco, Juniper, Fortinet and Topsec (A Chinese company) firewalls, among other network hardware.

The problem here is one that people have been talking about since US Cybercom was created.  That problem is that the same group of people who are responsible for hacking people (the NSA) is also responsible for protecting people from hackers and that is a battle that they cannot deal with.  When the NSA / Cybercom finds a vulnerability, they have to decide if they are going to tell the manufacturer so that they can fix it, or keep it to themselves to that they can use it until someone else finds it and tells the manufacturer.

The problem with that philosophy is that given the NSA was able to find it, it is likely that the Chinese or Russians were able to find it also.  And the Chinese are unlikely to tell Cisco or Fortinet about their bug, so as long as the NSA keeps it secret, our adversaries, if they know about the bug, are using it against American companies as well.

The President issued a directive explaining the rules of engagement surrounding this issue, but the rules say that the NSA can keep it secret and not tell the manufacturer if they think the bug has intelligence value to them.

So here we have a group of anti-hackers (The Shadow Brokers) that released a whole trove of bugs converted to attacks, which is good for users because now the bugs will eventually be fixed, but in the mean time, until they get fixed, the hackers can use them to attack you and me.

The advisory goes into some detail on the attacks that were disclosed, including ones against the Cisco ASA firewalls, a very popular corporate firewall.

The alert makes a couple of very useful suggestions:

  1. Segregate your network.  What this means is that you want to isolate your network into separate domains so that an attacker doesn’t have the run of the house once they break thru the front door.  It provides suggestions on how to do that.
  2. Limit “lateral” communications.  What this means is that you want to limit peer to peer computers from talking to each other unless there is a business reason to do that.
  3. Harden network devices.  This means, on firewalls and such, encrypt all traffic, use robust passwords, restrict physical access and other suggestions described in the alert.
  4. Secure access to firewalls and switches.
  5. Perform out of band management.  This would stop an attacker from being able to get to certain resources.
  6. Validate the integrity of the hardware and software.

The alert goes into a lot more detail, but given that we have strong reason to believe that the NSA and probably other intelligence agencies have been using these attacks in the wild and NOW, these attacks are know to every hacker on the planet, it is critical that companies protect themselves.


The CERT advisory can be found here.

A Wired article on the issue can be found here.



Holy Cow! Alert For Juniper Netscreen Firewall Users

UPDATE:  According to the Wired article below, the remote access issue was caused by a hard coded master password.  Of course, now that people know there is one, they can look at the code and find it, which means that if you have not patched your Juniper firewalls, you are at a high risk for being owned.

The article also says that the VPN issue may allow an attacker to decrypt any traffic that they have captured in the past.  So if the Chinese, for example (or US or Russian or …) had captured traffic hoping that they might be able to decrypt it some time in the future, now is that time.

This is one of those STOP THE PRESSES! kind of alerts.  Juniper announced yesterday that there are two separate compromises to Juniper Netscreen firewalls that would allow an attacker to gain administrative access to company firewalls and also to decrypt VPN traffic.  Together, this would allow an attacker to completely own your network.

If you are running a Juniper firewall running ScreenOS 6.2.r15 through 18 or 6.3.r12 through r20, you need to patch your firewalls immediately.

Juniper has been amazingly open about this, unlike some vendors.  I suspect that they figured that this exploit is so bad that customers may run away from their products, so the lesser of the evil is to be honest about it.  In reality, my guess is that they are no better or no worse than any other vendor.  Some vendors, under the same situation, might have just said “hey, we fixed some bugs, you should patch your firewall”.  The patches are available on Juniper’s web site (see link in Network World article).

A couple of notes that Juniper made:

  • There is no workaround other than applying the patches
  • They discovered this via an internal code review.  This MAY be good as hackers may not have found the problem.  HOWEVER, that being said, every attacker in the world knows about it now and since it is an OWN THE COMPANY bug, you need to patch this ASAP.  I was at a meeting yesterday where an FBI Special Agent was speaking about security and he interrupted his presentation to tell us about it.  It is that kind of high priority.
  • Juniper said that the bug is a result of unauthorized code in ScreenOS.  While they did not explain what this unauthorized code is, to me, that indicates their development environment was compromised,  If this is true, there entire code base is suspect at this time.  Hopefully they are scurrying around looking at all code in all products for backdoors.  Juniper says they don’t think that Junos devices (their other operating system) are affected.
  • The first bug allows someone to get unauthorized remote administrative access.  From there, you own the device, can wipe the logs, change the configuration or do anything else you might want to do.
  • The second bug – which is separate from the first – would allow an attacker who could monitor your VPN traffic to decrypt it.  Also, not good.  There would be no indication that an attacker was decrypting your traffic.
  • Juniper has not said how long these devices have been infected, but some of the code being patched dates back to 2012.
  • While Juniper has not said how this “unauthorized code” got into the devices, one candidate, based on Snowden documents, is the NSA.  They apparently have an interest in listening to organizations using Juniper hardware.

Whether this is the result of an NSA covert op, some other intelligence agencies handiwork, or some random hacker, it points to the fact that companies need to proactively monitor changes to their software to make sure that unauthorized changes are not being made.  For all organizations, this should be a wake up call for internal security.

This is a very interesting development.



Information for this post came from Network World.

Another article with more details can be found in Wired.