14 DAY TRIAL // Rapid7, a cyber-security vendor, says it managed to discover the password that attackers could use to bypass authentication on Juniper devices affected by the "unauthorized code" issue (CVE-2015-7755).
Towards the end of last week, Juniper put out an advisory after it discovered unauthorized code in the ScreenOS operating system, installed on some of its enterprise firewalls.
The company said that attackers could leverage this hidden code and get access to the device, from where they could easily decrypt VPN traffic.
The issue was present only in some of its equipment, NetScreen devices using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20, to be more precise.
According to Rapid7, attackers can use the password "<<< %s(un='%s') = %u" to bypass both SSH and Telnet authentication procedures, with the only condition that they know a valid username.
The password was found in the ScreenOS code, and it looks like a code comment, probably the reason it remained in the code for so many years.
Initial reports hinted that the backdoor might have existed in the code since 2008, when the affected OS versions were launched, but later narrowed down the estimates to 2012, when the affected versions were released. Rapid7 claims that the backdoor password was added only in 2013.
An investigation by The Register revealed that large parts of the ScreenOS code were written in Juniper's NetScreen division, based in China. Juniper bought NetScreen in 2004 for $3.4 billion.