benjojo.co.uk

benjojo posted 12 Mar 2025 16:04 +0000

Juniper router/switches now have anti-virus. What a time to be alive.

root@Amnesiac> request system malware-scan quick-scan 
Found potential malware: No

This seems to be part of JSA95385, that links to JSA93446

The JSA93446 is weirdly going out of it's way to say the victim was not Amazon:

At least one instance of malicious exploitation (not at Amazon) has been reported to the Juniper SIRT. Customers are encouraged to upgrade to a fixed release as soon as it's available and in the meantime take steps to mitigate this vulnerability.

But I enjoy(?) that the detailed report has the "pet names" that the Juniper teams names for each implant discovered in the wild.

The tl;dr of the wider thing is that one implant is JunOS specific, the rest are generic "open source malware" payloads that happen to run on FreeBSD/Linux

Malware Analysis This section describes the findings made during the reverse engineering effort, which included decomposition of each malware binary, static analysis of its metadata and flow, and an impact analysis on how it could affect Junos OS at run-time. All malware samples analyzed target Junos OS, Juniper Networks' FreeBSD-based operating system. The following malware implants were recovered from the MX Series routers: 1. The Local Memory Patching Attack Daemon (lmpad) 2. The Junos Denial of Service Daemon (jdosd) 3. The Internet Remote Access Daemon (irad) 4. A Poorly Plagiarized Implant Daemon (appid) 5. The TooObvious (to) 6. The Obscure Enigmatic Malware Daemon (oemd) NOTE: These names were crafted by Juniper based on malware behavior. They were not used by the malware authors themselves

VE2UWY@mastodon.radi.. replied 12 Mar 2025 17:49 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/tmvXQVqcsl2HkVrgv4

@benjojo Cool. Glad I don't work at a place that had closets full of Juniper. Nice stuff, actually. Loved to drop to a shell and poke around in BSD ... Which I'm guess the customer (not Amazon) failed to secure ...

benjojo replied 12 Mar 2025 17:53 +0000
in reply to: https://mastodon.radio/users/VE2UWY/statuses/114150721654393664

@VE2UWY I think also the implication here is that the customer (not Amazon) had open ssh and/or compromised root password creds as well.

I guess there is greater nuance of "maybe don't expose your 100k$ tin can's control plane to the internet"

benjojo replied 12 Mar 2025 16:04 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/tmvXQVqcsl2HkVrgv4

It also seems really obvious that the first thing that future implants is going to do is to patch the CLI to make request system malware-scan quick-scan not admit anything.

But I assume there is at least one customer who this gives a warm fuzzy feeling to

benjojo replied 12 Mar 2025 16:11 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/859Rp3hNNrNSFC1kb5

Also,

Customers are encouraged to upgrade to a fixed release as soon as it's available

[see picture of my face trying to upgrade with a new JunOS and praying nothing breaks in front of me]

Peter Serafinowicz with "kitchen grenade" pulling his fingers in his ears as he yells "BANG!"

eta@gotosocial.i.eta.. replied 12 Mar 2025 16:13 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/1KT34MF3rJqVB737M1

@benjojo bang! and the FIB is gone

sully@splodge.fluff... replied 12 Mar 2025 17:27 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/1KT34MF3rJqVB737M1

@benjojo 21.4R3-S9 on EX4600s couldn't radius authenticate as they just yeeted libradius into their build system to fix Blast-radius without checking that it worked, I have to test sodding everything

sully@splodge.fluff... replied 12 Mar 2025 17:31 +0000
in reply to: https://splodge.fluff.org/users/sully/statuses/114150634343065005

@benjojo "Oh, you expected DHCP forwarding to carry on working after a minor version upgrade? Well ..."

sully@splodge.fluff... replied 12 Mar 2025 17:45 +0000
in reply to: https://splodge.fluff.org/users/sully/statuses/114150650616824290

@benjojo I notice *again* that I'm already testing the fixed versions in that JSA as they've released a JSA some time after they've released the fixed versions, at least this one is weeks rather than months as in previous cases