Juniper Networks recently posted a security advisory enumerating two separate CVEs (common vulnerabilities and exposures); CVE 2015-7755 and CVE 2015-7756 in the DHS National Vulnerability Database, a repository of known software flaws that compromise FIPS regulations (Federal Information Processing Standard).
These CVEs describe software flaws in firmware of Juniper Networks Secure Services Gateway (SSG) models SSG 50 & SSG 5xx. These devices provide ‘firewall’ and VPN gateway services. CVEs score the vulnerability attributes and criticality; CVE 2015-7755 is an authentication’ flaw, with a score of 10.0 (CRITICAL).
These two CVEs in combination provide a ‘back-door’ into the firmware implementing a widely used encryption algorithm for Elliptic Curve Cryptography, but more ominously involve a ‘backdoor-on-the-backdoor’ which when exploited, allows adversaries to read all communications (thought to be encrypted) in plaintext.
This illustrates of how requests by ‘three-letter’ federal agencies (to provide encryption keys and/or add backdoors), if implemented, can introduce yet more dangerous vulnerabilities.