Till earlier this week, the help web site for networking tools vendor Juniper Networks was exposing probably delicate data tied to buyer merchandise, together with which gadgets prospects purchased, in addition to every product’s guarantee standing, service contracts and serial numbers. Juniper stated it has since fastened the issue, and that the inadvertent knowledge publicity stemmed from a current improve to its help portal.
Sunnyvale, Calif. based mostly Juniper Networks makes high-powered Web routers and switches, and its merchandise are utilized in a few of the world’s largest organizations. Earlier this week KrebsOnSecurity heard from a reader chargeable for managing a number of Juniper gadgets, who discovered he may use Juniper’s buyer help portal to seek out machine and help contract data for different Juniper prospects.
Logan George is a 17-year-old intern working for a company that makes use of Juniper merchandise. George stated he discovered the information publicity earlier this week by chance whereas looking for help data on a specific Juniper product.
George found that after logging in with a daily buyer account, Juniper’s help web site allowed him to checklist detailed details about nearly any Juniper machine bought by different prospects. Looking out on Amazon.com within the Juniper portal, for instance, returned tens of 1000’s of information. Every report included the machine’s mannequin and serial quantity, the approximate location the place it’s put in, in addition to the machine’s standing and related help contract data.
Info uncovered by the Juniper help portal. Columns not pictured embody Serial Quantity, Software program Help Reference quantity, Product, Guarantee Expiration Date and Contract ID.
George stated the uncovered help contract data is probably delicate as a result of it exhibits which Juniper merchandise are almost certainly to be missing crucial safety updates.
“For those who don’t have a help contract you don’t get updates, it’s so simple as that,” George stated. “Utilizing serial numbers, I may see which merchandise aren’t underneath help contracts. After which I may slender down the place every machine was despatched via their serial quantity monitoring system, and probably see all of what was despatched to the identical location. Quite a lot of firms don’t replace their switches fairly often, and understanding what they use permits somebody to know what assault vectors are doable.”
In a written assertion, Juniper stated the information publicity was the results of a current improve to its help portal.
“We had been made conscious of an inadvertent challenge that allowed registered customers to our system to entry serial numbers that weren’t related to their account,” the assertion reads. “We acted promptly to resolve this challenge and haven’t any cause to consider presently that any identifiable or private buyer knowledge was uncovered in any means. We take these issues critically and at all times use these experiences to stop additional related incidents. We’re actively working to find out the foundation explanation for this defect and thank the researcher for bringing this to our consideration.”
The corporate has not but responded to requests for details about precisely when these overly permissive consumer rights had been launched. Nonetheless, the adjustments could date again to September 2023, when Juniper announced it had rebuilt its buyer help portal.
George informed KrebsOnSecurity the back-end for Juniper’s help web site seems to be supported by Salesforce, and that Juniper doubtless didn’t have the correct consumer permissions established on its Salesforce belongings. In April 2023, KrebsOnSecurity published research displaying {that a} surprising variety of organizations — together with banks, healthcare suppliers and state and native governments — had been leaking non-public and delicate knowledge because of misconfigured Salesforce installations.
Nicholas Weaver, a researcher at College of California, Berkeley’s Worldwide Laptop Science Institute (ICSI) and lecturer at UC Davis, stated the complexity layered into fashionable tech help portals leaves a lot room for error.
“It is a reminder of how onerous it’s to construct these giant techniques like help portals, the place you want to have the ability to handle gazillions of customers with distinct entry roles,” Weaver stated. “One minor screw up there can produce hilarious outcomes.”
Final month, pc maker Hewlett Packard Enterprise announced it could purchase Juniper Networks for $14 billion, reportedly to assist beef up the 100-year-old expertise firm’s synthetic intelligence choices.
Replace, 11:01 a.m. ET: An earlier model of this story quoted George as saying he was capable of see help data for the U.S. Division of Protection. George has since clarified that whereas one block of machine information he discovered was labeled “Division of Protection,” that report seems to belong to a distinct nation.
