February 9, 2024

Until earlier this week, the support website for networking equipment vendor Juniper Networks was exposing potentially sensitive information tied to customer products, including which devices customers bought, as well as each product’s warranty status, service contracts and serial numbers. Juniper said it has since fixed the problem, and that the inadvertent data exposure stemmed from a recent upgrade to its support portal.

Sunnyvale, Calif. based Juniper Networks makes high-powered Internet routers and switches, and its products are used in some of the world’s largest organizations. Earlier this week KrebsOnSecurity heard from a reader responsible for managing several Juniper devices, who found he could use Juniper’s customer support portal to find device and support contract information for other Juniper customers.

Logan George is a 17-year-old intern working for an organization that uses Juniper products. George said he found the data exposure earlier this week by accident while searching for support information on a particular Juniper product.

George discovered that after logging in with a regular customer account, Juniper’s support website allowed him to list detailed information about virtually any Juniper device purchased by other customers. Searching on Amazon.com in the Juniper portal, for example, returned tens of thousands of records. Each record included the device’s model and serial number, the approximate location where it is installed, as well as the device’s status and associated support contract information.

Information exposed by the Juniper support portal. Columns not pictured include Serial Number, Software Support Reference number, Product, Warranty Expiration Date and Contract ID.

George said the exposed support contract information is potentially sensitive because it shows which Juniper products are most likely to be lacking critical security updates.

“If you don’t have a support contract you don’t get updates, it’s as simple as that,” George said. “Using serial numbers, I could see which products aren’t under support contracts. And then I could narrow down where each device was sent through their serial number tracking system, and potentially see all of what was sent to the same location. A lot of companies don’t update their switches very often, and knowing what they use allows someone to know what attack vectors are possible.”

In a written statement, Juniper said the data exposure was the result of a recent upgrade to its support portal.

“We were made aware of an inadvertent issue that allowed registered users to our system to access serial numbers that were not associated with their account,” the statement reads. “We acted promptly to resolve this issue and have no reason to believe at this time that any identifiable or personal customer data was exposed in any way. We take these matters seriously and always use these experiences to prevent further similar incidents. We are actively working to determine the root cause of this defect and thank the researcher for bringing this to our attention.”

The company has not yet responded to requests for information about exactly when those overly permissive user rights were introduced. However, the changes may date back to September 2023, when Juniper announced it had rebuilt its customer support portal.

George told KrebsOnSecurity the back-end for Juniper’s support website appears to be supported by Salesforce, and that Juniper likely did not have the proper user permissions established on its Salesforce assets. In April 2023, KrebsOnSecurity published research showing that a shocking number of organizations — including banks, healthcare providers and state and local governments — were leaking private and sensitive data thanks to misconfigured Salesforce installations.

Nicholas Weaver, a researcher at University of California, Berkeley’s International Computer Science Institute (ICSI) and lecturer at UC Davis, said the complexity layered into modern tech support portals leaves much room for error.

“This is a reminder of how hard it is to build these large systems like support portals, where you need to be able to manage gazillions of users with distinct access roles,” Weaver said. “One minor screw up there can produce hilarious results.”

Last month, computer maker Hewlett Packard Enterprise announced it would buy Juniper Networks for $14 billion, reportedly to help beef up the 100-year-old technology company’s artificial intelligence offerings.

Update, 11:01 a.m. ET: An earlier version of this story quoted George as saying he was able to see support information for the U.S. Department of Defense. George has since clarified that while one block of device records he found was labeled “Department of Defense,” that record appears to belong to a different country.


9 thoughts on “Juniper Support Portal Exposed Customer Device Info

  1. Jira Portal

    My first thought was that the portal was going to be Jira/Atlassian (which is a complete mess to properly configure the permissions and not fck it up). I guess Salesforce is another clusterfkc…

    Also, not sure that publishing the name and not the employer is good enough, given that one of the first search results for the name and intern gives you the linkedin page showing where he might be interning.

    Reply
  2. Jason Gonzalez

    Nice article. Shame how easily customer be portal info can by found online.

    Reply
  3. Concerned Citizen

    Congrats Logan. Looks like you’ve got a bright future ahead. Eyes will be on you from now on…

    Reply
  4. Catwhisperer

    Mr. Weaver is right, and mass wetware will always find the weakness in your UI logic. A great example is AWS… But Juniper is not the only edge device manufacturer that has this type of recurring problem. Forti and Palo have had their fair share, as can be seen if you subscribe to the CISA-CERT alerts. Because it is an industry wide problem, maybe the issue could be resolved if they allowed engineering to drive product and software development, rather than sales? Ya think?

    Reply
  5. Matthew McNees

    Two things stick out to me from the “soft side.” 1) Continued develop of the ramifications of how convenience rears its ugly head in security posture, ie, identification of accounts who don’t have an up-to-date maintenance contract and may be an easier target, and 2) complexity as an evergreen conduit for opportunity.

    Reply
  6. md mubasheer

    “Thanks for highlighting this issue. It’s concerning that the Juniper Support Portal exposed customer device info. Juniper needs to act fast to fix this and ensure it doesn’t happen again. Customer trust is at stake here.”

    Reply
  7. Jennifer Maddern

    We are so proud of you Logan! Your future is bright. – Mrs. Maddern, Frontier High School

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *