Juniper landed in hot water late last year after some of its networking gear was found to be carrying code that allowed for attackers to eavesdrop on traffic sent through virtual private networks (VPNs). According to analysts, the code is likely to have been developed by the National Security Agency (NSA) to conduct spying activities. Juniper has now said it will update the software in the affected products to fix the issue.
The unauthorised code was sitting in the ScreenOS software used in Juniper’s Netscreen enterprise firewall/VPN offerings and allowed attackers to decrypt encrypted traffic that come through. After the code was discovered last month, Juniper went into damage control as security researcher proved that the component in question, the Dual_EC_DRBG cryptographic algorithm, in ScreenOS can indeed be exploited by attackers.
In response, Juniper has said in a blog post that it will fix the issue by removing the spying code in its Netscreen line of products:
We will replace Dual_EC and ANSI X9.31 in ScreenOS 6.3 with the same random number generation technology currently employed across our broad portfolio of Junos OS products. We intend to make these changes in a subsequent ScreenOS software release, which will be made available in the first half of 2016.
This incident has been a huge blow to Juniper’s reputation. It remains to be seen whether this move will help it regain the trust of its customers.