Till earlier this week, the assist web site for networking tools vendor Juniper Networks was exposing probably delicate info tied to buyer merchandise, together with which gadgets clients purchased, in addition to every product’s guarantee standing, service contracts and serial numbers. Juniper mentioned it has since fastened the issue, and that the inadvertent knowledge publicity stemmed from a current improve to its assist portal.
Sunnyvale, Calif. based mostly Juniper Networks makes high-powered Web routers and switches, and its merchandise are utilized in among the world’s largest organizations. Earlier this week KrebsOnSecurity heard from a reader liable for managing a number of Juniper gadgets, who discovered he might use Juniper’s buyer assist portal to seek out gadget and assist contract info for different Juniper clients.
Logan George is a 17-year-old intern working for a corporation that makes use of Juniper merchandise. Talking provided that his employer not be named, George mentioned he discovered the information publicity earlier this week accidentally whereas trying to find assist info on a specific Juniper product.
George found that after logging in with an everyday buyer account, Juniper’s assist web site allowed him to record detailed details about nearly any Juniper gadget bought by different clients. Looking on Amazon.com within the Juniper portal, for instance, returned tens of 1000’s of information. Every report included the gadget’s mannequin and serial quantity, the approximate location the place it’s put in, in addition to the gadget’s standing and related assist contract info.
Info uncovered by the Juniper assist portal. Columns not pictured embody Serial Quantity, Software program Assist Reference quantity, Product, Guarantee Expiration Date and Contract ID.
George mentioned the uncovered assist contract info is probably delicate as a result of it exhibits which Juniper merchandise are most definitely to be missing essential safety updates.
“In the event you don’t have a assist contract you don’t get updates, it’s so simple as that,” George mentioned. “Utilizing serial numbers, I might see which merchandise aren’t beneath assist contracts. After which I might slim down the place every gadget was despatched by means of their serial quantity monitoring system, and probably see all of what was despatched to the identical location. Plenty of corporations don’t replace their switches fairly often, and understanding what they use permits somebody to know what assault vectors are doable.”
In a written assertion, Juniper mentioned the information publicity was the results of a current improve to its assist portal.
“We have been made conscious of an inadvertent concern that allowed registered customers to our system to entry serial numbers that weren’t related to their account,” the assertion reads. “We acted promptly to resolve this concern and don’t have any purpose to consider presently that any identifiable or private buyer knowledge was uncovered in any method. We take these issues severely and at all times use these experiences to forestall additional related incidents. We’re actively working to find out the basis reason for this defect and thank the researcher for bringing this to our consideration.”
The corporate has not but responded to requests for details about precisely when these overly permissive consumer rights have been launched. Nevertheless, the modifications could date again to September 2023, when Juniper introduced it had rebuilt its buyer assist portal.
George advised KrebsOnSecurity the back-end for Juniper’s assist web site seems to be supported by Salesforce, and that Juniper possible didn’t have the right consumer permissions established on its Salesforce belongings. In April 2023, KrebsOnSecurity printed analysis exhibiting {that a} surprising variety of organizations — together with banks, healthcare suppliers and state and native governments — have been leaking non-public and delicate knowledge because of misconfigured Salesforce installations.
Nicholas Weaver, a researcher at College of California, Berkeley’s Worldwide Pc Science Institute (ICSI) and lecturer at UC Davis, mentioned the complexity layered into trendy tech assist portals leaves a lot room for error.
“It is a reminder of how laborious it’s to construct these giant methods like assist portals, the place you want to have the ability to handle gazillions of customers with distinct entry roles,” Weaver mentioned. “One minor screw up there can produce hilarious outcomes.”
Final month, laptop maker Hewlett Packard Enterprise introduced it will purchase Juniper Networks for $14 billion, reportedly to assist beef up the 100-year-old know-how firm’s synthetic intelligence choices.
Replace, 11:01 a.m. ET: An earlier model of this story quoted George as saying he was capable of see assist info for the U.S. Division of Protection. George has since clarified that whereas one block of gadget information he discovered was labeled “Division of Protection,” that report seems to belong to a special nation.
