Welcome to WebmasterWorld Guest from 35.172.195.49

Forum Moderators: phranque

Message Too Old, No Replies

Juniper Discovers VPN Decryption Code: Patch Your Systems Now

     
2:33 pm on Dec 18, 2015 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:26458
votes: 1076


There's a patch available now, even though there's no apparent exploits taking place right now.

Juniper has announced that it has found two critical security vulnerabilities in Screen OS. The first would allow an attacker to decrypt VPN traffic and leave no trace of their actions, while the second allows complete compromise of a device via an unauthorised remote access vulnerability over SSH or telnet. Juniper Discovers VPN Decryption Code: Patch Your Systems Now [zdnet.com]


[kb.juniper.net...]
5:07 am on Dec 21, 2015 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:Oct 12, 2000
posts:15181
votes: 180


I guess this is all speculation still, but if Juniper were using Dual-EC, which was criticized for using an intentionally weakened random number generator, some of the current anti-encryption rhetoric is going to look a bit silly.

https://www.imperialviolet.org/2015/12/19/juniper.html [imperialviolet.org]

Juniper: recording some Twitter conversations (19 Dec 2015)

Again, assuming this hypothesis is correct then, if it wasn't the NSA who did this, we have a case where a US government backdoor effort (Dual-EC) laid the groundwork for someone else to attack US interests. Certainly this attack would be a lot easier given the presence of a backdoor-friendly RNG already in place.