Security firm Juniper has discovered 'unauthorised code' in its ScreenOS platform which has the capacity to intercept and decrypt virtual private network (VPN) traffic and erase any evidence of intrusion.
Virtual private networks are incredibly useful things: as well as allowing remote users to access resources located within a local network, they typically use encryption to prevent any data from being eavesdropped upon during transit - removing the risk of using public networks for critical traffic. Sadly, Juniper's ScreenOS platform has been found to be rather less secure than its users had hoped with the discovery of malicious code designed to break into VPN sessions without the operator's knowledge.
'During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections,
' explained Juniper chief information officer Bob Worrall in a blog post
published late last night and directed to users of Juniper NetScreen devices. 'At this time, we have not received any reports of these vulnerabilities being exploited; however, we strongly recommend that customers update their systems and apply the patched releases with the highest priority.
For Juniper, the admission is doubly embarrassing: first that its security appliances had such a major vulnerability in them, and second that the vulnerability was seemingly installed deliberately by persons unknown rather than created as the result of a coding error - suggesting that the company's own network may have fallen victim to attack and bringing the security of its other products into question.