Before being patched, bad guys would be capable of forging a cryptographic certificate.
Before being patched, bad guys would be capable of forging a cryptographic certificate.

A crypto flaw that allowed cyber attackers to eavesdrop on communications running through VPNs has now been patched in Juniper Networks's Junos operating system, according to Ars Technica.

Juniper's advisory (CVE-2016-1280), released Wednesday, mitigated the possibility to "generate a specially crafted self-signed certificate and bypass certificate validation." That is, a bad guy could forge a cryptographic certificate. 

"When a peer device presents a self-signed certificate as its end entity certificate with its issuer name matching one of the valid CA certificates enrolled in Junos, the peer certificate validation is skipped and the peer certificate is treated as valid," the advisory stated. "This may allow an attacker to generate a specially crafted self-signed certificate and bypass certificate validation."

The company claimed it was not aware of any exploitation of this bug.

"The latest flaw in how certificates are trusted affects the privacy and security of hundreds of enterprises around the world," Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, told SCMagazine on Friday in an emailed statement. "The inability of Juniper's private networks to validate if a connecting device should be trusted or not is a huge blow to the foundation of security that's been built up for the last 20 years. And when the foundation of trust and privacy established by certificates fails, every other layer of security can fail."'

Research shows, Bocek added, that it can be incredibly easy to forge a malicious certificate that tricks Juniper devices into accepting untrusted and malicious connections. "The problem is exacerbated since the connections are then encrypted and allow for infiltration/exfiltration of data – leaving targets blind to attack."

Since 2012, Gartner has made it clear: Certificates can no longer be blindly trusted, Bocek wrote. "Unfortunately, the industry and enterprises continue to treat this huge problem as less important, and the lack of focus continues to leave us all vulnerable."