# Backdoor found: should I still buy this Juniper SRX100 router?



## qubit (Dec 30, 2015)

A friend is selling a new Juniper SRX100 professional router with firewall capability. It normally goes for about £270, but he's selling it for £80. No, it's not bent, I know this guy!

I can use it with my ADSL modem as the hardware firewall to protect my home network, which would replace my dated but trusty hardened IPCop Linux based open source firewall that's currently running on an old, slightly unreliable, PC.

Thing is, I recently read about a real life backdoor found in Juniper firmware, which appears to be the handywork of the NSA - although it doesn't appear to affect this model range. It's been fixed with a firmware update, but with a find like this, how can I possibly ever trust their products again? Could it even be enough to make the company go under, perhaps?

Being a mate, he's quite happy to let me use it for a few days before buying it to see if I like it, so there's no risk in that sense.

Hence, I've been wondering whether to buy it or not due to this potential security issue and can't quite decide, so would appreciate your opinions on this.

Check the links below for product info and the backdoor.
















www.juniper.net/uk/en/products-services/security/srx-series/srx100

www.theregister.co.uk/2015/12/21/security_code_to_backdoor_juniper_firewalls_revealed_in_firmware

www.theregister.co.uk/2015/12/23/juniper_analysis


----------



## Kursah (Dec 30, 2015)

Tell me a product that doesn't have a backdoor? The list is far shorter than devices that do, Cisco, Juniper, Netgate, SonicWall, all of them have had security risk issues in the past and probably will into the future. I wouldn't be too worried. That should be a solid device for you to utilize for your network. Plus someone would have to take the time to want to scan your network, want to verify what your gateway firewall is, and want to try and break in. You're going to be on the very low end of a huge target spectrum...unless you have something worth sharing that they get a taste of... Even then, I'd buy it and use it. 

Juniper makes solid products, if a company hasn't been slandered for making mistake or compromise, it is only because it hasn't been advertised yet...


----------



## AsRock (Dec 30, 2015)

Whats the point in having even a hardware firewall if their is a backdoor ?, so gotta say no even if it has to be applied locally i still would not.

If truly fixed maybe do some hard searching for facts to back that up and not just because they say so.


----------



## qubit (Dec 30, 2015)

Thanks people. I'm leaning more towards buying it, especially after your advice, Kursah.

Are there any more opinions out there?


----------



## Ferrum Master (Dec 30, 2015)

I am trusty to my local Mikrotik devices for work etc serious mission critical stuff... at home - who cares really...


----------



## remixedcat (Dec 31, 2015)

I'd get it but be more alert


----------



## hat (Dec 31, 2015)

As some others have said... what doesn't have a backdoor? I wouldn't even trust the linux based router OSes anymore (to be 100% secure). Besides, if someone manages to get a hold of a government backdoor that _isn't_ publicly known, they are most likely not using that information to come after you. I don't know the details of what happened with Juniper, but I'd be willing to bet the only reason their backdoor was patched was because it was publicly leaked, thus everyone was able to know about it. They probably sealed up that hole and made a new one for the government all in the same fix.


----------



## qubit (Jan 1, 2016)

hat said:


> As some others have said... what doesn't have a backdoor? I wouldn't even trust the linux based router OSes anymore (to be 100% secure). Besides, if someone manages to get a hold of a government backdoor that _isn't_ publicly known, they are most likely not using that information to come after you. I don't know the details of what happened with Juniper, but I'd be willing to bet the only reason their backdoor was patched was because it was publicly leaked, thus everyone was able to know about it. *They probably sealed up that hole and made a new one for the government all in the same fix.*


Agreed, especially the bold bit.  Please do vote! 

Note that things like IPCop are 100% open source, so it would be really hard to sneak a backdoor into that. At least the found backdoor didn't apply directly to my product. They just haven't found it yet...


----------



## flmatter (Jan 1, 2016)

sorry not quite the backdoor "found" I was thinking


----------



## remixedcat (Jan 1, 2016)

backdoor sluts 9?? wut?


----------



## ShiBDiB (Jan 1, 2016)

If you're worried about a backdoor than the fix is simple, unplug ur internet, ditch your cell, live off the grid..

Basically if you're really paranoid about backdoors from the NSA you'd live under a rock with tinfoil on ur head. If you have something worth hiding than they'll find their way in. If you have nothing to hide than why does it matter, it's the world we live in nowadays.


----------



## CjStaal (Jan 2, 2016)

Dude, the NSA has tabs in EVERYTHING. Whether you like it or not, it's their job and "duty" to stay ahead of the curb and be in everything at all times. There isn't a single product out that's "NSA" proof. Just because some backdoor was found doesn't mean it isn't secure. EVERYTHING has backdoors, intentional or not. Why do you your Windows install updates? Why do you think theres updates at all? 80-90% of the time, they're to fix a security issue (i.e. a backdoor of some kind).


----------



## Rhyseh (Jan 5, 2016)

Alright a few things to allay your concerns. Firstly let me qualify my response a little here. I work for a Juniper Partner, we're a consulting firm (we don't deal exclusively in Juniper, but we push it where possible).

First the security back door that was found was in ScreenOS, ScreenOS was inherited from Netscreen, although reports suggest it was embedded after 2008, which is when Juniper owned Netscreen...... 

Still all of Juniper's SRX range runs JunOS, which is Junipers OS. JunOS runs on a customized version of BSD essentially. JunOS runs on pretty much all their devices, including at the carrier level (ScreenOS is largely deprecated these days). As far as I am aware JunOS does not have this backdoor. Not saying it is out of the question, however Juniper being a Canadian company...... Who knows really. Still the NSA are more likely to intercept your information in transit rather than directly from your device.

Also I just tried the same password against an SRX110hv2 we have in the office here, this is a firmware that is at least 2 years old by now and the same password is confirmed *NOT* to work. Also being BSD based it's pretty easy to get an output of users:

_cat /etc/passwd
root:*:0:0:Charlie &:/root:/bin/csh
daemon:*:1:1:Owner of many system processes:/root:/sbin/nologin
operator:*:2:5:System &:/:/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/sbin/nologin
ext:*:39:39:External applications:/:/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin_

Conversely I just confirmed the validity of this backdoor on a NetScreen appliance I have access to..... Pretty big security flaw..... However provided you don't go through the process of opening up SSH access from the web... Then you really shouldn't have too many issues.

I run an SRX220 at home right now (it changes often, my Edgerouter is at my sisters) and I am fairly confident I am safe and sound....

A tip, if you are running a version of JunOS 10.x or earlier you will need to upgrade to have the device act as a DNS server. I recommend upgrading to the most recent JTAC recommended release anyway, however I believe you need an account with Juniper to download the software....... Legally anyway....... Here's the link if you want to see JTAC's recommendations:

http://www.juniper.net/support/downloads/?p=srx100#sw


----------



## OneMoar (Jan 5, 2016)

the original intent of the backdoor was likely less nsa and more stupid users locking themselves out


----------



## CjStaal (Jan 5, 2016)

OneMoar said:


> the original intent of the backdoor was likely less nsa and more stupid users locking themselves out


no, because it would have been known already from the first user locking themself out and calling up.


----------



## qubit (Jan 5, 2016)

@Rhyseh Thanks for the detailed info, I feel much more confident about this now.  Is that backdoored NetScreen appliance going to have the later, fixed firmware installed?

Thinking about it, I now have a practical question and I know I could look it up, but I'd rather discuss it with you. I have a DrayTek Vigor 120 ADSL modem at home. This thing is literally a modem which allows various ADSL settings to be configured, but nothing else and has no other functionality. It certainly doesn't have a firewall and it doesn't even have a way to log into my broadband service. I bought it especially for this simplicity as I was using with my IPCop firewall to protect my network. On the firewall, I then have to configure a dialup connection to log into the broadband service after which I can access the internet.

My question is, does the SRX100 have equivalent functionality, because if not, I can't use it with that modem and it's no good to me.

To everyone else: agreed, just about all equipment is vulnerable in one way or another, your actual risk is simply a matter of how desirable a target you are. Still, you wouldn't want to use something with a known backdoor if possible and hence the reason for my thread.


----------



## Rhyseh (Jan 5, 2016)

@qubit yes it most certainly does have equivalent functionality. Basically you configure the fe interface as ppp over ethernet and then configure a ppp interface with the relevant parameters.

If you've not configured a commercial firewall like this before then I would suggest allocating a fair chunk of time. You will have to configure NAT and firewall policies before it will start working.

Juniper has alot of great example and how to articles. This one should point you down the right track:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15736&actp=search

If you get stuck I can pm you a sanatised config, however all our ADSL services on these devices are normally via an inbuilt ADSL interface or via a PIC module so the actual interface config may differ somewhat.

Oh and that Netscreen will be updated during the next maintenance window. I only have two to do. I'm actually pushing the customer to replace with a newer, larger Sophos UTM, so I am tempted to use it as a bargaining chip.... However plan B is an SRX240 and I don't really want to start putting doubts in their heads about Juniper products...


----------



## qubit (Jan 5, 2016)

Thanks Rhyseh, glad to hear I can use it with the modem and I look forward to the challenge of configuring it.

At least when my internet connection is dead in the water due to my hamfisted faffing around I'll be able to tether my PC to the smartphone lol and access those resources.


----------



## OneMoar (Jan 5, 2016)

CjStaal said:


> no, because it would have been known already from the first user locking themself out and calling up.


its probly a service backdoor for remote support


----------



## Toothless (Jan 5, 2016)

Put a screen door over the back door. That'll keep them pesky bugs out while giving you fresh air.


----------



## qubit (Jan 5, 2016)

Toothless said:


> Put a screen door over the back door. That'll keep them pesky bugs out while giving you fresh air.


Oh stop it! rofl.


----------



## taz420nj (Jan 5, 2016)

Kursah said:


> Tell me a product that doesn't have a backdoor?



pfSense?


----------



## OneMoar (Jan 5, 2016)

again as much as the people in this thread like controversy and tin foil hats the backdoor had nothing todo with the NSA
think about it if the nsa wanted to have a backdoor they would certainly do a better job of hiding it there are far more secure approaches to putting in a back door then what is shown here


----------



## Kursah (Jan 5, 2016)

taz420nj said:


> pfSense?



While not as severe or publicly commented as the Juniper issue was, there are backdoors everywhere. I wouldn't expect any less in this day and age. 

https://github.com/chadillac/pfsense_xmlrpc_backdoor


----------



## taz420nj (Jan 5, 2016)

Kursah said:


> While not as severe or publicly commented as the Juniper issue was, there are backdoors everywhere. I wouldn't expect any less in this day and age.
> 
> https://github.com/chadillac/pfsense_xmlrpc_backdoor



That's an exploit, not an intentional back door. Considering it is over 9 months old and pfSense is under active development I'd imagine it's patched by now.


----------



## Kursah (Jan 5, 2016)

True it's older, but I wouldn't think for a second that there's absolutely no backdoors exploitable or conveniently hidden in any appliance OS, PF Sense included. That kind of assumption is dangerous. With that said, PF Sense is probably one of the better bets for users.


----------



## qubit (Jan 6, 2016)

OneMoar said:


> *again as much as the people in this thread like controversy and tin foil hats the backdoor had nothing todo with the NSA*
> think about it if the nsa wanted to have a backdoor they would certainly do a better job of hiding it there are far more secure approaches to putting in a back door then what is shown here


It's actually the first article that I linked to citing the NSA putting it in there, not us. Also, the article is giving reasons why it's actually likely _not_ the NSA, despite rumours that it is.

Whether they'd do a better job of it than this I have no idea.


----------



## taz420nj (Jan 6, 2016)

Kursah said:


> True it's older, but I wouldn't think for a second that there's absolutely no backdoors exploitable or conveniently hidden in any appliance OS, PF Sense included. That kind of assumption is dangerous. With that said, PF Sense is probably one of the better bets for users.



Bugs are one thing, but pfSense is open source - whether it is on a PC or an appliance it's still the same program.  It's pretty tough to "hide" a back door in something with so many eyes that can look at it...


----------



## Rhyseh (Jan 6, 2016)

From a networking perspective is a very inelegant solution. Your better off having something embedded in the device (read hardware) to upload logging data. 

Chances are this is a backdoor that the dev team use and neglected to remove.


----------



## Kursah (Jan 6, 2016)

taz420nj said:


> Bugs are one thing, but pfSense is open source - whether it is on a PC or an appliance it's still the same program.  It's pretty tough to "hide" a back door in something with so many eyes that can look at it...



True, bugs are one thing and yes pfSense is open source...but that doesn't mean it's impossible, just far less likely to be seen if someone really wanted to hide it. Regardless doesn't mean it will not and cannot happen, and it's simply unsafe to assume it cannot. Less likely, absolutely...impossible..not even close.


----------



## taz420nj (Jan 6, 2016)

Kursah said:


> True, bugs are one thing and yes pfSense is open source...but that doesn't mean it's impossible, just far less likely to be seen if someone really wanted to hide it. Regardless doesn't mean it will not and cannot happen, and it's simply unsafe to assume it cannot. Less likely, absolutely...impossible..not even close.



Not saying it can't, but the odds that it would are astronomical.  If they tried it do you realize what that would do to their credibility once it was found - since it IS impossible to hide something surreptitious in open source code?  It would become non existent instantly.  They'd never be trusted again, they'd lose the vast majority of their userbase overnight and it would be the end of ESF.


----------



## Kursah (Jan 6, 2016)

taz420nj said:


> Not saying it can't, but the odds that it would are astronomical.  If they tried it do you realize what that would do to their credibility once it was found - since it IS impossible to hide something surreptitious in open source code?  It would become non existent instantly.  They'd never be trusted again, they'd lose the vast majority of their userbase overnight and it would be the end of ESF.



It would be far far worse than what Juniper is facing to say the least. Let's hope that day never comes...


----------



## qubit (Jan 6, 2016)

taz420nj said:


> Not saying it can't, but the odds that it would are astronomical.  If they tried it do you realize what that would do to their credibility once it was found - since it IS impossible to hide something surreptitious in open source code?  It would become non existent instantly.  They'd never be trusted again, they'd lose the vast majority of their userbase overnight and it would be the end of ESF.


This is one of the reasons why I like IPCop so much, which I've been using for about a decade, now. As you say, any funny business like this and they'd be dead in the water.

Confession: the old Compaq D510 PC it was running on developed a very noisy CPU or PSU fan a few months ago. I then turned it off and returned to my old ISP supplied router temporarily. The shame of it is that I never got round to fixing the PC and I'm still on it!  That Juniper doesn't look like it's got a fan so at least an annoying fault like this won't be a problem, lol.


----------



## Rhyseh (Jan 6, 2016)

Nope. No fan. It's really very low power draw overall.


----------



## qubit (Jan 10, 2016)

Ok, I've had the router for a couple of days now and have just gotten around to playing around with it this insomniac night.

Turns out I won't be keeping it, unfortunately. While it's very nice, it doesn't actually log intrusion attempts the way that IPCop does. With that, I can see a daily record in the web interface of every single attempt on every single day that it's running. In particular, it's the number of attempts I get each day that I like to see, so I can't see the point in spending significant money just to get something that loses me a critical feature. The SRX100 does have a lot of advanced features though and I can see why companies would want to use it, it's just not for me.

I'm just gonna have to get off my ass and fix/replace the fan in that old PC now. 
Thanks for all your help though, especially @Rhyseh.


----------

