Juniper Networks has identified a potential exposure of the digital key used to sign NetScreen devices that run ScreenOS software images. While there is no evidence of a compromise, Juniper has taken proactive steps to revoke the old signing key and move to a new signing key for all NetScreen devices that run ScreenOS software. This measure applies only to NetScreen devices that run ScreenOS software, and does not apply to any other Juniper products.
Customers who have installed any upgrades or patches to their ScreenOS products since 1 June 2014 are being advised to install the new signing key, ScreenOS and Boot Loader (when applicable) immediately; this will confirm the authenticity of the upgrades or patches completed since 1 June 2014. All customers will need to install these components to support future upgrades or patches to their ScreenOS products.
Customers are being asked to review the TSB16495 carefully and follow instructions for installing the new signing key, as necessary.
Frequently Asked Questions
Q: What is the function of the signing key for the ScreenOS products? A: The signing key enables a ScreenOS product to determine the authenticity of software provided by Juniper. Each ScreenOS build (since v2.6.1r1) has included a signing key (also known as the authentication key, image key or imagekey.cer) pre-loaded into the Juniper firewall or VPN device. When the device is rebooted, the signing key validates the authenticity of the Juniper software that has been saved in its memory. If the validation fails, the device does not load the software. The validation that occurs between the signing key on the device and the signing key on the software ensures that rogue or tampered software cannot be loaded.
Q: Am I being advised to replace the signing key? A: Yes. If you have installed Juniper software, patches, or upgrades on ScreenOS product since 1 June 2014, we advise you to update to replace the signing key as soon as possible as a precautionary measure.
If you have not installed a new version of software since 1 June 2014, you will be required to update the key before installing any future software, patches, or updates.
Q: Will I be required to upgrade to a later version of code after updating my signing key? A: No. you will not need to change your software version However you will need to download the same version for it to have the new signing key, All supported software versions signed using the new key are available on the software download site. (If you are running an unsupported version of software, you will be required to upgrade to a supported version.)
Q: If I have an ScreenOS image that is special or a CSP (Customer Specific Patch)and cannot move to 6.3r18, what is the procedure to obtain a CSP with the new image? What is the process if the version is EOL? A: Please contact JTAC to get the CSP firmware signed by the new image key.
Q: How does this change affect my device? A: Any new ScreenOS firmware and boot loaders distributed by Juniper Networks since 18 August 2014 for the NetScreen Product line ISG Series, NetScreen Series, and SSG Series will have been signed using the new signing key. The device will fail to boot properly with these images until the signing key has been updated as outlined in TSB16495 .
Q:How can I tell which signing keys my ScreenOS firmware and boot loader has been signed with? A: If the device has installed signing key, ScreenOS firmware and boot loader is already authenticated using the signing key while ScreenOS firmware or boot loader upgrade and the device boots up. In this case, you can compare the non-zero values. If the value starts with 308201ac, it indicates the old signing key. If the value starts with 308201ad, this indicates the new signing key. For more information, refer to TSB16495
Q: Can I turn off the ScreenOS firmware and boot loader authenticity check? A: Yes, but it is not recommended by Juniper Networks because ISG Series, NetScreen Series, and SSG Series are a security devices. Steps to disable them are outlined in TSB16495
Q: What security am I giving up if I disable the ScreenOS firmware and boot loader authenticity checking ? A: By disabling the image checking, a counterfeit or corrupted ScreenOS firmware and boot loader is able to run on the device, thus changing the way the device will operate.
Q: Image Authentication on my device is currently disabled. What is the process to re-enable authentication check? A: If you want to enable the Image Authentication feature, simply install the new image key and follow the instruction outlined in TSB16495
Q: Will new ScreenOS products delivered to customers have the new signing key installed? A: All ScreenOS Products with a manufacture on or after 18 August 2014 will include the new signing key. All RMA/Spares units will contain the new signing key, unless explicitly noted on an informational label attached to the unit.
Q: Where can I get details regarding this advisory? A: Complete details, including instructions for replacing the signing key, are published in TSB16495 .
Q: What is the nature of the incident that prompted Juniper to take this action? A: Juniper Networks has identified a potential exposure of the digital key used to sign ScreenOS software images. While there is no evidence of a compromise, Juniper has taken proactive steps to revoke the old signing key and move to a new signing key for all ScreenOS releases.
Q: I have devices that I do not have console cable connection, how do I upgrade them using TSB16495? A: Originally a console cable was needed using TSB16495, however an alternate method is now available using KB29456.
Q: If I update the device and need to roll back to an old ScreenOS firmware and boot loader, will the device load the ScreenOS and boot loader properly and function? A: All ScreenOS firmware and boot loaders have been resigned using the new signing key and are available on the software download site. If the ScreenOS firmware signed by the old imagekey is not on the software download site, you can request it through JTAC. If you have an old ScreenOS image firmware and boot loader that was distributed before 18 August 2014 then it was signed with the old imagekey and will not work properly until you follow the steps outlined in TSB16495 . For example, either update the image key (from new image key to old image key) or delete the image key before roll back to an old ScreenOS firmware and boot loader.
Q: What versions of ScreenOS are affected? A: All active ScreenOS firmware and boot loaders under the policy of End of Life and End of Support policies for Juniper Networks. Refer to ScreenOS Dates and Milestones. Currently ScreenOS 6.3 is under active support based on the End of Life and End of Support policies.
Q: My hardware is EOL, but we still continue to use in production. What are my options? A: Support will only be provided for products that convert the new product warranty coverage to a support services contract prior to expiration of the standard warranty, one (1) year after the last order date, but if you can download ScreenOS firmware and boot loaders on the software download site, you can refer to TSB16495
Q: Who do I contact if I need more information regarding this TSB? A: if more information is needed regarding this issue, please email: email@example.com