Devices running Juniper's ScreenOS - the operating System used on the company's VPN-enabling firewalls are vulnerable. Specifically versions 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are affected and subject to the patch.
According to Bob Worrall, SVP & CIO, "During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen® devices and to decrypt VPN connections. Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS."
An advisory details the specific versions affected and the urgency of the patch. This advisory makes clear that there are two separate issues. The ability to authenticate to the firewall as 'system' and also the ability to monitor and decrypt trsaffic.
Of greatest concern is the Juniper comment, "there is no way to detect that this vulnerability was exploited."
iTWire understands that the FBI is investigating the breach amid fears of foreign hackers or even state-sponsored attempts at intrusion.
The earliest nominated version affected by the advisory (6.2.0r15) appears to have first been made available to customers in late 2012.
Of course there is nothing to say that the "foreign hackers" aren't much more local that the US would care to admit. Much of the reporting of Snowden's material centres on the NSA's ability to infiltrate equipment from a number of manufacturers, including Juniper.
With the vulnerability having existed for over 3 years, and given the wide use of this equipment, a LOT of people are very worried.