It's Thursday the 14th of January 2016, and it's now 25 days after I first heard about the Juniper backdoor (I heard about it on Monday the 21st of December 2015) and I still haven't patched it yet. We don't use the VPN and have never had SSH open to the internet so this isn't a world ending bug for us but it's still something pretty major that I want fixed.
When I heard about the bug I went off to the Juniper website to download the update but to my surprise I was greeted with this:
I needed an account to download software updates. I didn't have one1, so I went to sign up.
In the sign up form I needed my device serial number, so I went off and looked up the serial number. Then when I submitted it, I got a message saying my account needed to be validated and that I would get an email soon. I'm not sure if validation is a manual process or the flood of new sign ups from people wanting to patch their kit just overwhelmed their servers2 but 24 hours later I still had no email. So I tried to sign up again but it said there was already a pending application for my email address3 so validation was clearly still ongoing.
Finally at 20:37 on Thursday (just over four days later) the email with my security key to activate my account was sent, it said I needed to activate my account by the 3rd of January or the key would expire. The only problem is our office had closed for the end of year holidays at 17:00 on the 24th (we closed 4 hours before the validation email was sent) and our office wouldn't be open again until the 4th of January (the day after the activation key expired).4
On Monday the 4th when I got to work and found the email with my (now expired) security key. So I went to try again to create an account, only to be given this message:
currently here but it may be removed
Juniper were doing maintenance and wouldn't be allowing sign ups for another week and a half.
So here we are Thursday morning, and I still haven't created an account or downloaded a patch yet but hopefully today I will be able sign up. And who knows if I get validated a bit more quickly I might even be able to secure my kit some time this week. I'm not sure what Juniper thinks it's achieving by not letting unregistered users download security updates5 but when I am looking at buying firewalls in future I will be looking for a brand that doesn't lock it's software updates away. Most likely something open source like PFSense, MikroTik or maybe something that can run VyOS.
Maybe I've got my priorities the wrong way around but I'm far more annoyed by the process I've had to go through to fix the backdoor than I was about the fact that there was a backdoor in the first place.
-
I probably should have had an account before this all happened to download previous firmware images to fix other CVEs that didn't get as much press coverage, but I'm sure I'm not the only one in this boat. ↩
-
Or maybe it's automated but always this slow, I don't know. ↩
-
I could have used a different address but I'm not convinced that would have helped. ↩
-
Our office being closed is in no way Juniper's fault, but taking four days to create an account to download security fixes seems unreasonably long. ↩
-
Sure it's more than just a security patch, it's the whole firmware but it should still be freely downloadable. ↩