Backdoor found: should I still buy this Juniper SRX100 router?

[qubit]

A friend is selling a new Juniper SRX100 professional router with firewall capability. It normally goes for about £270, but he's selling it for £80. No, it's not bent, I know this guy!

I can use it with my ADSL modem as the hardware firewall to protect my home network, which would replace my dated but trusty hardened IPCop Linux based open source firewall that's currently running on an old, slightly unreliable, PC.

Thing is, I recently read about a real life backdoor found in Juniper firmware, which appears to be the handywork of the NSA - although it doesn't appear to affect this model range. It's been fixed with a firmware update, but with a find like this, how can I possibly ever trust their products again? Could it even be enough to make the company go under, perhaps?

Being a mate, he's quite happy to let me use it for a few days before buying it to see if I like it, so there's no risk in that sense.

Hence, I've been wondering whether to buy it or not due to this potential security issue and can't quite decide, so would appreciate your opinions on this.

Check the links below for product info and the backdoor.

www.juniper.net/uk/en/products-services/security/srx-series/srx100

www.theregister.co.uk/2015/12/21/security_code_to_backdoor_juniper_firewalls_revealed_in_firmware

www.theregister.co.uk/2015/12/23/juniper_analysis

 

[Kursah]

Tell me a product that doesn't have a backdoor? The list is far shorter than devices that do, Cisco, Juniper, Netgate, SonicWall, all of them have had security risk issues in the past and probably will into the future. I wouldn't be too worried. That should be a solid device for you to utilize for your network. Plus someone would have to take the time to want to scan your network, want to verify what your gateway firewall is, and want to try and break in. You're going to be on the very low end of a huge target spectrum...unless you have something worth sharing that they get a taste of... Even then, I'd buy it and use it.

Juniper makes solid products, if a company hasn't been slandered for making mistake or compromise, it is only because it hasn't been advertised yet...

 

[AsRock]

Whats the point in having even a hardware firewall if their is a backdoor ?, so gotta say no even if it has to be applied locally i still would not.

If truly fixed maybe do some hard searching for facts to back that up and not just because they say so.

 

[qubit]

Thanks people. I'm leaning more towards buying it, especially after your advice, Kursah.

Are there any more opinions out there?

 

[Ferrum Master]

I am trusty to my local Mikrotik devices for work etc serious mission critical stuff... at home - who cares really...

 

[remixedcat]

I'd get it but be more alert

 

[hat]

As some others have said... what doesn't have a backdoor? I wouldn't even trust the linux based router OSes anymore (to be 100% secure). Besides, if someone manages to get a hold of a government backdoor that isn't publicly known, they are most likely not using that information to come after you. I don't know the details of what happened with Juniper, but I'd be willing to bet the only reason their backdoor was patched was because it was publicly leaked, thus everyone was able to know about it. They probably sealed up that hole and made a new one for the government all in the same fix.

 

[qubit]

As some others have said... what doesn't have a backdoor? I wouldn't even trust the linux based router OSes anymore (to be 100% secure). Besides, if someone manages to get a hold of a government backdoor that isn't publicly known, they are most likely not using that information to come after you. I don't know the details of what happened with Juniper, but I'd be willing to bet the only reason their backdoor was patched was because it was publicly leaked, thus everyone was able to know about it. They probably sealed up that hole and made a new one for the government all in the same fix.

Agreed, especially the bold bit. Please do vote!

Note that things like IPCop are 100% open source, so it would be really hard to sneak a backdoor into that. At least the found backdoor didn't apply directly to my product. They just haven't found it yet...

 

[flmatter]

sorry not quite the backdoor "found" I was thinking

 

[remixedcat]

backdoor sluts 9?? wut?

 

[ShiBDiB]

If you're worried about a backdoor than the fix is simple, unplug ur internet, ditch your cell, live off the grid..

Basically if you're really paranoid about backdoors from the NSA you'd live under a rock with tinfoil on ur head. If you have something worth hiding than they'll find their way in. If you have nothing to hide than why does it matter, it's the world we live in nowadays.

 

[CjStaal]

Dude, the NSA has tabs in EVERYTHING. Whether you like it or not, it's their job and "duty" to stay ahead of the curb and be in everything at all times. There isn't a single product out that's "NSA" proof. Just because some backdoor was found doesn't mean it isn't secure. EVERYTHING has backdoors, intentional or not. Why do you your Windows install updates? Why do you think theres updates at all? 80-90% of the time, they're to fix a security issue (i.e. a backdoor of some kind).

 

[Rhyseh]

Alright a few things to allay your concerns. Firstly let me qualify my response a little here. I work for a Juniper Partner, we're a consulting firm (we don't deal exclusively in Juniper, but we push it where possible).

First the security back door that was found was in ScreenOS, ScreenOS was inherited from Netscreen, although reports suggest it was embedded after 2008, which is when Juniper owned Netscreen......

Still all of Juniper's SRX range runs JunOS, which is Junipers OS. JunOS runs on a customized version of BSD essentially. JunOS runs on pretty much all their devices, including at the carrier level (ScreenOS is largely deprecated these days). As far as I am aware JunOS does not have this backdoor. Not saying it is out of the question, however Juniper being a Canadian company...... Who knows really. Still the NSA are more likely to intercept your information in transit rather than directly from your device.

Also I just tried the same password against an SRX110hv2 we have in the office here, this is a firmware that is at least 2 years old by now and the same password is confirmed NOT to work. Also being BSD based it's pretty easy to get an output of users:

cat /etc/passwd
root:*:0:0:Charlie &:/root:/bin/csh
daemon:*:1:1:Owner of many system processes:/root:/sbin/nologin
operator:*:2:5:System &:/:/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/sbin/nologin
ext:*:39:39:External applications:/:/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin

Conversely I just confirmed the validity of this backdoor on a NetScreen appliance I have access to..... Pretty big security flaw..... However provided you don't go through the process of opening up SSH access from the web... Then you really shouldn't have too many issues.

I run an SRX220 at home right now (it changes often, my Edgerouter is at my sisters) and I am fairly confident I am safe and sound....

A tip, if you are running a version of JunOS 10.x or earlier you will need to upgrade to have the device act as a DNS server. I recommend upgrading to the most recent JTAC recommended release anyway, however I believe you need an account with Juniper to download the software....... Legally anyway....... Here's the link if you want to see JTAC's recommendations:

http://www.juniper.net/support/downloads/?p=srx100#sw

 

[OneMoar]

the original intent of the backdoor was likely less nsa and more stupid users locking themselves out

 

[CjStaal]

the original intent of the backdoor was likely less nsa and more stupid users locking themselves out

no, because it would have been known already from the first user locking themself out and calling up.

 

[qubit]

@Rhyseh Thanks for the detailed info, I feel much more confident about this now. Is that backdoored NetScreen appliance going to have the later, fixed firmware installed?

Thinking about it, I now have a practical question and I know I could look it up, but I'd rather discuss it with you. I have a DrayTek Vigor 120 ADSL modem at home. This thing is literally a modem which allows various ADSL settings to be configured, but nothing else and has no other functionality. It certainly doesn't have a firewall and it doesn't even have a way to log into my broadband service. I bought it especially for this simplicity as I was using with my IPCop firewall to protect my network. On the firewall, I then have to configure a dialup connection to log into the broadband service after which I can access the internet.

My question is, does the SRX100 have equivalent functionality, because if not, I can't use it with that modem and it's no good to me.

To everyone else: agreed, just about all equipment is vulnerable in one way or another, your actual risk is simply a matter of how desirable a target you are. Still, you wouldn't want to use something with a known backdoor if possible and hence the reason for my thread.

 

[Rhyseh]

@qubit yes it most certainly does have equivalent functionality. Basically you configure the fe interface as ppp over ethernet and then configure a ppp interface with the relevant parameters.

If you've not configured a commercial firewall like this before then I would suggest allocating a fair chunk of time. You will have to configure NAT and firewall policies before it will start working.

Juniper has alot of great example and how to articles. This one should point you down the right track:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15736&actp=search

If you get stuck I can pm you a sanatised config, however all our ADSL services on these devices are normally via an inbuilt ADSL interface or via a PIC module so the actual interface config may differ somewhat.

Oh and that Netscreen will be updated during the next maintenance window. I only have two to do. I'm actually pushing the customer to replace with a newer, larger Sophos UTM, so I am tempted to use it as a bargaining chip.... However plan B is an SRX240 and I don't really want to start putting doubts in their heads about Juniper products...

 

[qubit]

Thanks Rhyseh, glad to hear I can use it with the modem and I look forward to the challenge of configuring it.

At least when my internet connection is dead in the water due to my hamfisted faffing around I'll be able to tether my PC to the smartphone lol and access those resources.

 

[OneMoar]

no, because it would have been known already from the first user locking themself out and calling up.

its probly a service backdoor for remote support

 

[Toothless]

Put a screen door over the back door. That'll keep them pesky bugs out while giving you fresh air.

 

[qubit]

Put a screen door over the back door. That'll keep them pesky bugs out while giving you fresh air.

Oh stop it! rofl.

 

[taz420nj]

Tell me a product that doesn't have a backdoor?

pfSense?

 

[OneMoar]

again as much as the people in this thread like controversy and tin foil hats the backdoor had nothing todo with the NSA
think about it if the nsa wanted to have a backdoor they would certainly do a better job of hiding it there are far more secure approaches to putting in a back door then what is shown here

 

[Kursah]

pfSense?

While not as severe or publicly commented as the Juniper issue was, there are backdoors everywhere. I wouldn't expect any less in this day and age.

https://github.com/chadillac/pfsense_xmlrpc_backdoor

 

[taz420nj]

While not as severe or publicly commented as the Juniper issue was, there are backdoors everywhere. I wouldn't expect any less in this day and age.

https://github.com/chadillac/pfsense_xmlrpc_backdoor

That's an exploit, not an intentional back door. Considering it is over 9 months old and pfSense is under active development I'd imagine it's patched by now.