Juniper router/switches now have anti-virus. What a time to be alive. This seems to be part of JSA95385, that links to JSA93446 The JSA93446 is weirdly going out of it's way to say the victim was not Amazon: But I enjoy(?) that the detailed report has the "pet names" that the Juniper teams names for each implant discovered in the wild. The tl;dr of the wider thing is that one implant is JunOS specific, the rest are generic "open source malware" payloads that happen to run on FreeBSD/Linux
root@Amnesiac> request system malware-scan quick-scan
Found potential malware: No
At least one instance of malicious exploitation (not at Amazon) has been reported to the Juniper SIRT. Customers are encouraged to upgrade to a fixed release as soon as it's available and in the meantime take steps to mitigate this vulnerability.
VE2UWY@mastodon.radi..
replied 12 Mar 2025 17:49 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/tmvXQVqcsl2HkVrgv4
@benjojo Cool. Glad I don't work at a place that had closets full of Juniper. Nice stuff, actually. Loved to drop to a shell and poke around in BSD ... Which I'm guess the customer (not Amazon) failed to secure ...
benjojo
replied 12 Mar 2025 17:53 +0000
in reply to: https://mastodon.radio/users/VE2UWY/statuses/114150721654393664
@VE2UWY I think also the implication here is that the customer (not Amazon) had open ssh and/or compromised root password creds as well. I guess there is greater nuance of "maybe don't expose your 100k$ tin can's control plane to the internet"
benjojo
replied 12 Mar 2025 16:04 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/tmvXQVqcsl2HkVrgv4
It also seems really obvious that the first thing that future implants is going to do is to patch the CLI to make But I assume there is at least one customer who this gives a warm fuzzy feeling to
request system malware-scan quick-scan
not admit anything.
benjojo
replied 12 Mar 2025 16:11 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/859Rp3hNNrNSFC1kb5
Also, [see picture of my face trying to upgrade with a new JunOS and praying nothing breaks in front of me]
Customers are encouraged to upgrade to a fixed release as soon as it's available
eta@gotosocial.i.eta..
replied 12 Mar 2025 16:13 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/1KT34MF3rJqVB737M1
sully@splodge.fluff...
replied 12 Mar 2025 17:27 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/1KT34MF3rJqVB737M1
@benjojo 21.4R3-S9 on EX4600s couldn't radius authenticate as they just yeeted libradius into their build system to fix Blast-radius without checking that it worked, I have to test sodding everything
sully@splodge.fluff...
replied 12 Mar 2025 17:31 +0000
in reply to: https://splodge.fluff.org/users/sully/statuses/114150634343065005
@benjojo "Oh, you expected DHCP forwarding to carry on working after a minor version upgrade? Well ..."
sully@splodge.fluff...
replied 12 Mar 2025 17:45 +0000
in reply to: https://splodge.fluff.org/users/sully/statuses/114150650616824290
@benjojo I notice *again* that I'm already testing the fixed versions in that JSA as they've released a JSA some time after they've released the fixed versions, at least this one is weeks rather than months as in previous cases