Software Integrity Blog


US Congress investigates Juniper software flaw

On Wednesday, a tech savvy member of the U.S. Congress criticized a no show by Juniper Networks executives during a hearing exploring whether any government data was stolen as a result of a software flaw first disclosed last December.

Rep. Ted Lieu (D-Calif.) said “I find it disrespectful that they did not come here to testify. It insinuates they have something to hide.”

In December 2015, researchers identified a backdoor in Juniper’s ScreenOS, apparently dating back to 2013. In a Juniper advisory issued for CVE-2015-7755 and CVE-2015-7756 the company admitted there was unauthorized code found the shipped versions of its NetScreen firewalls. One backdoor allowed a remote attacker to VPN into a system and eavesdrop. Another backdoor allowed a remote attacker to bypass authentication in the SSH and Telnet daemons.

US Congress began hearings this month to investigate the 24 U.S. departments and agencies that used the compromised software.

During this week’s hearing, Lieu, who holds a bachelor’s degree in computer engineering, disagreed with those who said that Juniper was a victim as well. “Juniper is not the victim in this case,” he said. “The U.S. government and the American people are.”

According to The Hill, Sanjeev Bhagowalia, The Treasury Department’s chief information officer, testified that no data was stolen from his department as a result of the software flaw.

“How would you know if something was taken or not?” Rep. Will Hurd (R-Texas) asked the Treasury’s CIO. Additionally, Hurd wanted to know how much so-called legacy software the Treasury Department is using — software that is no longer updated or supported by the vendor.

“It’s a small percentage,” Bhagowalia told the committee, but he did not name an exact figure according to The Hill.


More by this author