Till earlier this week, the help web site for networking gear vendor Juniper Networks was exposing probably delicate info tied to buyer merchandise, together with which gadgets prospects purchased, in addition to every product’s guarantee standing, service contracts and serial numbers. Juniper mentioned it has since fastened the issue, and that the inadvertent knowledge publicity stemmed from a latest improve to its help portal.
Sunnyvale, Calif. primarily based Juniper Networks makes high-powered Web routers and switches, and its merchandise are utilized in among the world’s largest organizations. Earlier this week KrebsOnSecurity heard from a reader answerable for managing a number of Juniper gadgets, who discovered he might use Juniper’s buyer help portal to seek out machine and help contract info for different Juniper prospects.
Logan George is a 17-year-old intern working for a company that makes use of Juniper merchandise. George mentioned he discovered the information publicity earlier this week accidentally whereas looking for help info on a selected Juniper product.
George found that after logging in with a daily buyer account, Juniper’s help web site allowed him to listing detailed details about nearly any Juniper machine bought by different prospects. Looking out on Amazon.com within the Juniper portal, for instance, returned tens of 1000’s of information. Every file included the machine’s mannequin and serial quantity, the approximate location the place it’s put in, in addition to the machine’s standing and related help contract info.
Data uncovered by the Juniper help portal. Columns not pictured embody Serial Quantity, Software program Assist Reference quantity, Product, Guarantee Expiration Date and Contract ID.
George mentioned the uncovered help contract info is probably delicate as a result of it exhibits which Juniper merchandise are most definitely to be missing vital safety updates.
“In the event you don’t have a help contract you don’t get updates, it’s so simple as that,” George mentioned. “Utilizing serial numbers, I might see which merchandise aren’t underneath help contracts. After which I might slim down the place every machine was despatched by means of their serial quantity monitoring system, and probably see all of what was despatched to the identical location. Numerous corporations don’t replace their switches fairly often, and understanding what they use permits somebody to know what assault vectors are attainable.”
In a written assertion, Juniper mentioned the information publicity was the results of a latest improve to its help portal.
“We had been made conscious of an inadvertent situation that allowed registered customers to our system to entry serial numbers that weren’t related to their account,” the assertion reads. “We acted promptly to resolve this situation and don’t have any motive to consider at the moment that any identifiable or private buyer knowledge was uncovered in any means. We take these issues significantly and all the time use these experiences to forestall additional related incidents. We’re actively working to find out the basis reason for this defect and thank the researcher for bringing this to our consideration.”
The corporate has not but responded to requests for details about precisely when these overly permissive person rights had been launched. Nevertheless, the adjustments might date again to September 2023, when Juniper introduced it had rebuilt its buyer help portal.
George informed KrebsOnSecurity the back-end for Juniper’s help web site seems to be supported by Salesforce, and that Juniper seemingly didn’t have the right person permissions established on its Salesforce belongings. In April 2023, KrebsOnSecurity revealed analysis exhibiting {that a} stunning variety of organizations — together with banks, healthcare suppliers and state and native governments — had been leaking non-public and delicate knowledge because of misconfigured Salesforce installations.
Nicholas Weaver, a researcher at College of California, Berkeley’s Worldwide Pc Science Institute (ICSI) and lecturer at UC Davis, mentioned the complexity layered into trendy tech help portals leaves a lot room for error.
“This can be a reminder of how laborious it’s to construct these massive methods like help portals, the place you want to have the ability to handle gazillions of customers with distinct entry roles,” Weaver mentioned. “One minor screw up there can produce hilarious outcomes.”
Final month, laptop maker Hewlett Packard Enterprise introduced it might purchase Juniper Networks for $14 billion, reportedly to assist beef up the 100-year-old expertise firm’s synthetic intelligence choices.
Replace, 11:01 a.m. ET: An earlier model of this story quoted George as saying he was in a position to see help info for the U.S. Division of Protection. George has since clarified that whereas one block of machine information he discovered was labeled “Division of Protection,” that file seems to belong to a unique nation.
