Congress demands backdoor audits by government agencies

The House of Representatives Committee on Oversight and Government Reform notified 24 federal agencies over the weekend that security audits must be performed in order to determine what systems may have been affected by the recently uncovered backdoor in Juniper’s ScreenOS.

Juniper admitted that it had found “unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections,” and released a patch for affected devices in December.

The committee sent letters to a number of agencies, including the Securities and Exchange Commission, the General Services Administration, NASA, the Environmental Protection Agency, as well as the Departments of Defense, Commerce, Labor, Energy, and State. The agencies targeted will have until February 4th to audit systems and determine if any NetScreen firewalls used were affected by the Juniper backdoor.

In that time, the oversight committee expects the agencies to report back on any devices that were affected, descriptions of how the agencies found out about the vulnerabilities, steps taken to mitigate the vulnerabilities before the systems were patched, and proof that the systems were patched with the software Juniper pushed out in December.

Stephen Gates, chief research analyst and principal engineer at NSFOCUS IB, said it is in the best interest of all U.S. citizens to ensure that the government is secure, but noted that a security audit is not the same as a fix.

“One would think that there are thousands upon thousands of Juniper systems running and securing our government’s networks. However, I’m not sure if auditing all of the possible vulnerable systems can be performed in such a short period of time,” Gates said. “Remember, an audit is not a fix. Once all of the vulnerable systems are found, maintenance windows and outages would likely be incurred as systems are being updated with patches that will eliminate these known vulnerabilities.”

The Juniper backdoor has been linked to the use of a cryptographic algorithm that was purposely weakened by the National Security Agency (NSA). There are also questions about if or when the NSA first knew about the backdoors in Juniper systems.

At the time of this publication, the NSA had not responded to requests for comment.

Next Steps

Learn more about Juniper’s SRX5800 hardware firewall upgrades.

Read about how lawmakers don’t understand encryption backdoors.

Learn more about why Rapid7 wants router makers to eliminate backdoors.