The Cybersecurity and Infrastructure Security Agency (CISA) is following an extensive external compromise of multiple entities that originated with an attack of the SolarWinds Orion product.
The CISA advisory can be found at https://us-cert.cisa.gov/ncas/alerts/aa20-352a
This blog will serve as Juniper’s official statement on both any potential impact to Juniper’s products, as well as any implications on Juniper’s internal network. As more information about these attacks becomes known, Juniper will continue to investigate, and this blog will be updated with any relevant, new information.
Q – Are any Juniper products vulnerable to the attacks detailed by CISA?
No, the SolarWinds Orion product is not a part of any Juniper product and the identified attack vectors are not applicable to Juniper products.
Customers should note however that if they are using Orion in their network, Orion may have stored credentials for Juniper devices, and it would be a good idea to change those passwords.
Q – Does Juniper use the Orion product within its infrastructure?
Yes, we were using Orion in limited ways within Juniper’s internal network.
Q – Have you detected any compromise or other adverse impact as a result of Juniper’s internal use of Orion?
No, when the external news broke, Juniper quickly identified any instances of Orion on our network and immediately took the mitigation steps recommended by CISA, which included forensic imaging, powering off of all Orion servers and analyzing those systems. Juniper did a thorough scan of the entire network for the potentially compromised Orion files and the versions on the Juniper network were not the versions known to be compromised. There was only one instance of a potentially vulnerable version of Orion discovered on a single Juniper employee’s laptop which was part of a demonstration version – and that laptop was quarantined and is in the process of being analyzed. We are continuing to monitor new information as it becomes available and watching our network for any indications of compromise or suspicious activity. Any relevant information which results from our continuing analysis will be added to this post.