The US government has warned that secret code embedded into equipment made by networking provider Juniper Networks could leave back doors for attackers to infiltrate into corporate and government bodies.
Juniper admitted that rogue code that was inserted into its ScreenOS software three years ago has only just been discovered. Numerous large organisations including government clients use firewall devices that run on ScreenOS.
Outside experts have claimed the code was likely planted by a nation state or sophisticated criminals.
Skilled attackers could apparently use the back door to unscramble encrypted communications.
“During a recent internal code review, Juniper discovered unauthorised code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections,” the company said.
“Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS.
“At this time, we have not received any reports of these vulnerabilities being exploited; however, we strongly recommend that customers update their systems and apply the patched releases with the highest priority.”
The incident at Juniper comes at the end of a year of several high-profile hacks on Washington, including at the White House, State Department and Office of Personnel Management.
A senior U.S. official who declined to be named because of the sensitivity of the matter said the Department of Homeland Security is working with Juniper as it investigates the issue.
Juniper's notice to customers did not say whether the company was aware of how the code was inserted in the software.
"This shines a light on the fact that kind of attack is something intelligence agencies are probably doing," said Chris Wysopal, chief technology officer with Veracode, a maker of software for uncovering coding bugs.
Juniper said that while it had not yet received any reports of these vulnerabilities being exploited by hackers, it ‘strongly recommend’ that customers update their systems with a patch that removes the exploit.