Juniper Crypto Bug Lets Attackers Eavesdrop
Juniper Networks patched a crypto bug tied to its public key infrastructure that could have allowed hackers to access the company’s routers, switches and security devices and eavesdrop on sensitive communications. The flaw was tied to Juniper products and platforms running Junos, the Juniper Network Operating System.
The bug (CVE-2016-1280) was reported and patched by Juniper. Juniper also posted its own information on the security vulnerability, which was found internally.
The vulnerability allowed attackers to create specially crafted self-signed certificates that can bypass certificate validation within Juniper hardware running the Junos OS. If exploited, the vulnerability could have allowed an attacker in a man-in-the-middle position on the victim’s network to read supposedly secure communications.
“When a peer device presents a self-signed certificate as its end entity certificate with its issuer name matching one of the valid CA certificates enrolled in Junos, the peer certificate validation is skipped and the peer certificate is treated as valid,” explains Juniper.
Juniper said the vulnerability only affects certificates used for protocols Internet Key Exchange (IKE) and Internet Protocol security (IPsec).
For further details, please see – https://threatpost.com/juniper-crypto-bug-lets-attackers-eavesdrop-on-router-switch-traffic
By on 30/10/2016