Bug in Juniper Software Enabled Severe IPSec Vulnerability
Major vulnerability will hopefully have small impact on internet security.
A major bug in Juniper Networks’ Junos OS was fixed this week in a new patch released by the company. In the IKE/IPSec protocols, the software’s implementation of certificate validation, a key part of how X.509 certificates provide a secure connection, did not work properly. Juniper Networks is one of the largest manufacturers of network and internet infrastructure devices.
In the release of their patch, Juniper wrote that “Junos incorrectly validated self-signed certificates when the ‘issuer name [matched] one of the valid CA certificates enrolled in Junos.’” This means the software was only looking at the name of a certificate when determining its legitimacy.
Luckily, the bug only affects “certificates used for IKE/IPSec,” which is just one of the many protocols that use security certificates for encryption and authentication. Juniper stated that, “other public key-based authentication is unaffected by this vulnerability,” so the widely used SSL/TLS protocols were not at risk from this vulnerability.
In order to provide authentication, one of the core purposes of the X.509 certificate standard, there needs to be cryptographic validation of the certificate being used. This proper way to do this is for the client device to check the digital signature of the certificate, and locally compute it to make sure that there is a match with the issuing Root CA.
When that process is done correctly, the client device can prove if the certificate being presented was really signed by the trusted Root CA, or if the certificate is a forgery. Junos’ code did not do this. Instead, it skipped all the mathematics, and just looked to see if the issuer name matched any of the Root CAs.
Junos’ process involves no cryptographic proofs and provides no security. Using the bug, an attacker could simply create their own certificate with an Issuer name matching a trusted Root and have Junos trust it. They could then use the certificate to impersonate any server and receive sensitive information. It’s equivalent to a store accepting a piece of paper that someone wrote “$20 Bill” on with a pen.
To say this was a mistake is an understatement. Hanno Böck, a cyber security journalist, said “[the code] was implemented by people who had no idea what they were doing.”
Juniper says they have no knowledge that this vulnerability has actually been exploited, and no other evidence has suggested it has. If this vulnerability has been used it would make it extremely easy for malicious actors to undermine the security of IKE/IPSec connections being made with Junos.
The affected protocols are not very popular – they are primarily used in securing VPN connections, though most VPNs opt for other protocols for security. IPSec’s lack of popularity is likely a contributing factor to the bug, as it would be under far less scrutiny from code-auditing projects and researchers.
Juniper’s problems also made headlines late last year when a backdoor was discovered in the code used in another one of their operating systems. The backdoor had been present for years and was part of the code for a random number generator, one of the tools used in establishing secure connections. This backdoor allowed for the decryption of those connections, particularly VPN connections where the software was frequently used. It is not known how that backdoor appeared in their software, but some suspect it may have been done under the influence or supervision of a government.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown