Juniper officials said this week that they fixed a bug in the Junos operating system’s certificate validation.
This flaw would let attackers generate a self-signed certificate and bypass certificate validation, according to the company’s security advisory. When a peer device presents a self-signed certificate as its end entity certificate, with its issuer name matching one of the valid CA certificates enrolled in Junos, the peer certificate validation is skipped.
Juniper is now aware of the problem and has taken action to fix it. Juniper’s Security Incident Response Team (SIRT) is not aware of any malicious use of this vulnerability. In the advisory, Juniper claims that no other Juniper products or platforms are affected by the issue.
Users can fix these security vulnerabilities with its next available Junos maintenance release. For users under a tight timeframe, service releases will be made available.
This is certainly not the worst security incident Juniper has faced lately. In December, the company patched up a back door deliberately placed in Netscreen firewalls. Independent security researchers were able to confirm that the malicious code was disguised to look like a debugging routine, according to an Ars Technica article.
The article says that Juniper’s recent certificate validation failure was one of six recent vulnerabilities that were fixed in Juniper’s products.