Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

ScreenOS Firmware Image Authenticity Notification



Article ID: JSA10392 SECURITY_ADVISORIES Last Updated: 09 Jul 2014Version: 7.0
Legacy Advisory Id:
Product Affected:
All ScreenOS Firewall Platforms (NS, ISG, and SSG) are affected.
All Juniper ScreenOS Firewall Platforms are susceptible to circumstances in which a maliciously modified ScreenOS image can be installed. This exploit requires the attacker to have administrative access to the device, either locally or remotely.
Junipers ScreenOS firewall platforms have several mechanisms to protect against such attacks. Juniper recommends that customers utilize all of these features. These include:
  • Screen OS Image Authentication: When the image authentication certificate is installed, the device will authenticate the installed image at boot time to ensure that it is an authentic image provided by Juniper. Images that fail authentication will not boot. Currently, all Juniper firewalls ship without this certificate installed.
  • Manager-IP: This allows the administrator to specify which hosts (via their IP addresses) can manage the device, making it more challenging for the attacker to gain access. The device will not respond to hosts other than those listed.
  • Change Administrative TCP Ports: The administrator can change the TCP port that the device listens on for admin services (HTTPS, SSH), assigning them non-standard ports. This forces the attacker to check non-standard ports. The device will only respond on the ports that are configured.
  • Utilize Industry Best Practices: Juniper recommends that customers always utilize best practices. Some examples are listed below.
    • Change administrative passwords regularly and use passwords that are difficult to guess.
    • Change the administrative name to something different than the default (?netscreen? is default).
    • Never grant access to your firewalls to users you do not trust.
    • Provide only the minimum access level needed for each administrator.
    • Promptly remove access rights to people who leave your organization or no longer need access.
    • Before installing it on your device, use an MD5 checksum utility to compare the MD5 checksum of the ScreenOS Image to the value provided on Junipers software download site. The result should match the value provided.
    • Only manage the device via encrypted means such as HTTPS and SSH.

Following all the recommendations listed here will help you to protect your device from malicious intent.
Juniper recommends that customers utilize the following features of ScreenOS to prevent malicious software installation.
  • Install the imagekey.cer certificate. If this certificate is installed on the firewall, all software images will be authenticated. Images that fail authentication will be prevented from booting. Instructions on how to check if the Image Authentication Certificate is installed, how to load the Image Authentication Certificate, and how to check if the ScreenOS Image authenticated successfully are documented in the image_key_readme.pdf. Refer to the first link in the Related Links section of this article on how to download and install the imagekey.cer certificate.
    • Note for NS-5200/5400 M2 or ISG1000/ISG1000-IDP: Customers that are using the NS-5200 or NS-5400 platform with the M2 version of the Management Card, or ISG1000/ISG1000-IDP should ensure that they have the latest bootloader (load5000v103.d or later for NS5000 or load1000v102.d or later for ISG1000) installed BEFORE installing the imagekey.cer certificate.
  • Utilize the "Manager-IP" feature to control which hosts (via their IP addresses) can manage your firewall. Refer to KB3905 on how to check the Manager-IP settings and configure them. Also, refer to the Concepts & Examples ScreenOS Reference Guide: Vol 3, Administration guide for additional configuration details.
  • Change the TCP port by which the device listens for administration traffic (HTTPS, SSH). Refer to KB11376 on how to check and change the admin ports defined on the firewall. Also, refer to the Concepts & Examples ScreenOS Reference Guide: Vol 3, Administration guide for additional configuration details.
Severity Level:
Severity Assessment:
This issue requires that the attacker have access (local or remote) to the device, something that can be prevented by following industry best practices.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search