In recent years, technology solution providers have had to keep an extra watchful eye over their proprietary systems. In the current landscape, hackers are looking for any possible opportunity to exploit popular software in an effort to infect users. The vendors providing this technology must take steps to ensure that not only are their solutions free of weaknesses, but that users are fully protected as well.
After discovering exploitable vulnerabilities within its own software, Juniper Networks disclosed the problems and urged users to upgrade to a patched version. Spurred by this event, Cisco has announced that it will internally review its own software systems in order to ensure protection and uphold customers’ trust.
In mid-December, Juniper Networks began warning customers about issues pertaining to NetScreen enterprise firewalls. According to Network World, Juniper discovered that a batch of bad code could be utilized by cybercriminals to gain control, intercept and decrypt virtual private network traffic. The vulnerability impacted any NetScreen firewall user utilizing a corporate site that supported mobile access which, in the current enterprise technology landscape, is quite a few organizations.
“Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable hacker to gain administrative access to NetScreen devices and to decrypt VPN connections,” Juniper Networks stated, according to Network World.
Now that data breaches and attacks have become near-daily occurrences, it’s clear that vendors must be more proactive about the security of their products. Juniper noted that the unauthorized code contained in its ScreenOS was found during “a recent internal code review,” according to Network World.
However, it seems as if these weaknesses may have existed in the platform for a lot longer – portions of code currently being patched have been utilized by the system since August 2012.
“Cisco upholds a no-backdoor policy within its software solutions.”
On the heels of Juniper Network’s warnings came an announcement from Cisco, noting that the company would begin its own internal code review in an effort to discover any “malicious modifications” that may have been made by hackers, Network World noted.
“Our additional review includes penetration testing and code review by engineers with deep networking and cryptography experience,” Anthony Grieco, Cisco Security and Trust Organization senior director, wrote in the Cisco Security blog. “We have seen none of the indicators discussed in Juniper’s disclosure. Although our normal practices should detect unauthorized software, we recognize that no process can eliminate all risk.”
According to Grieco, Cisco upholds a no-backdoor policy within its software solutions, meaning that any undisclosed strategies for device access, use of hardcoded or undocumented access credentials, undocumented diversion traffic or covert communications channels are banned. Grieco also noted that Cisco’s review did not come “in response to any outside request.”
“Cisco launched the review because the trust of our customers is paramount,” Grieco wrote in Cisco’s blog. “We have not been contacted by law enforcement about Juniper’s bulletin We are doing this because it’s the right thing to do.”