Firewall Vulnerabilities: Coincidence, or Enemy Action?

“Once is happenstance. Twice is coincidence. The third time it’s enemy action.”  This quote from Ian Fleming’s James Bond novel, Goldfinger describes how a series of apparently unconnected events can form a pattern.  And I was struck by a significant coincidence in two recent announcements from leading firewall vendors.

Earlier this year, I blogged about the discovery of a vulnerability made by Juniper Networks.  During an internal code review, the company detected a backdoor vulnerability in its Netscreen ScreenOS firewalls, versions 6.2 and 6.3.

This particular piece of malicious code would allow hackers to access the Juniper device’s management console with full administrative privileges, enabling them to potentially decrypt VPN traffic. It was a highly sophisticated and insidious attack, and as such there is, in my opinion, a distinct possibility that the party responsible is a nation-state or government agency – though no blame or attribution has been made yet.

In over 15 years of working in the information security industry, I can’t recall coming across such a backdoor in a firewall.  This makes it all the more surprising that news of a significant vulnerability, this time in FortiOS-powered devices from Fortinet, dropped less than a month later.

Now, there are some important differences between these two issues. Unlike the Juniper Networks vulnerability, Fortinet has claimed that the vulnerability is a ‘management authentication issue’ – that is, a programming error made by Fortinet at some point over the last few years, which has now been resolved. Fortinet has made a patch available, and the vulnerability no longer exists in upgraded versions of the firewall.

And to be clear, any speculation at this stage as to the reasons for, or the potential repercussions of these events is just that – speculation.  But it’s certainly interesting to see two firewall backdoor vulnerabilities emerging in the space of one month.

So, what are the possible reasons? Could these discoveries be part of a hugely sophisticated, sustained and possibly even state-sponsored attack against widely-used firewall products? Are technical similarities between different firewalls suddenly being exploited by malicious attackers?  Time may tell. All that is clear at this stage is that this is unprecedented news in the world of information security – and that if another major firm announces a firewall problem in the coming months, then it would be difficult to believe that it is mere coincidence.

Our advice on recommended next steps for users of affected Juniper Netscreen firewalls or FortiOS-powered devices is this:

• Check whether your devices are running the vulnerable software versions
• Schedule an emergency upgrade of any device that is vulnerable

AlgoSec customers should have already received new risk profiles flagging both the vulnerable versions of the solutions from Juniper and Fortinet:  check your emails for this notification.