Juniper Networks patched a crypto bug tied to its public key infrastructure that could have allowed hackers to access the company’s routers, switches and security devices and eavesdrop on sensitive communications. The flaw was tied to Juniper products and platforms running Junos, the Juniper Network Operating System. The bug (CVE-2016-1280) was reported and patched by Juniper on Wednesday, with public disclosure Friday. Juniper also posted its own information on the security vulnerability, which was found internally.
The vulnerability allowed attackers to create specially crafted self-signed certificates that can bypass certificate validation within Juniper hardware running the Junos OS. If exploited, the vulnerability could have allowed an attacker in a man-in-the-middle position on the victim’s network to read supposedly secure communications. “When a peer device presents a self-signed certificate as its end entity certificate with its issuer name matching one of the valid CA certificates enrolled in Junos, the peer certificate validation is skipped and the peer certificate is treated as valid,” explains Juniper. Juniper said the vulnerability only affects certificates used for protocols Internet Key Exchange (IKE) and Internet Protocol security (IPsec). Certificate validation is crucial when it comes to establishing secure sessions, as attackers often employ techniques that involve spoofing certificates for high-value targets such as Google or Microsoft in the hopes of capturing users’ confidential data, such as user IDs and passwords. If the client doesn’t or can’t properly check to ensure that the certificate presented is valid and issued for the proper site, the security of the connection can’t be trusted. “The latest flaw in how certificates are trusted affects the privacy and security of hundreds of enterprises around the world,” said Kevin Bocek, vice president of Security Strategy and Threat Intelligence at Venafi, in a statement. “The inability of Juniper’s private networks to validate if a connecting device should be trusted or not is a huge blow to the foundation of security that’s been built up for the last 20 years,” he said. Bocek said that when certificates fail, the tables can easily be turned by the malicious actors and “every other layer of security can fail” right along with it. “Research shows it can be incredibly easy to forge a malicious certificate that tricks Juniper devices into accepting untrusted and malicious connections. The problem is exacerbated since the connections are then encrypted and allow for infiltration/exfiltration of data – leaving targets blind to attack,” he said. For security experts such as Bocek, the most recent Juniper crypto bug is the latest in a string of incidents where vendors have failed to properly validate certificates. Bocek points out that since 2012, Gartner has been a strong proponent that certificates can’t be blindly trusted. “Unfortunately, the industry and enterprises continue to treat this huge problem as less important, and the lack of focus continues to leave us all vulnerable,” Bocek said. Juniper’s crypto security bug was just one of many patches for critical vulnerabilities discovered internally this week by the network firm. Juniper also issued a patch for a privilege escalation vulnerability (CVE-2016-1279), two kernel vulnerabilities (CVE-2016-1263 and CVE-2016-1277), a DoS vulnerability (CVE-2016-1276) and a Virtual Private LAN Service vulnerability (CVE-2016-1275) in its products.