tharun15 - Fotolia
Juniper Networks Inc. and US-CERT issued security advisories regarding a serious vulnerability in the GD graphics library used in the Junos operating system. The GD library, or LibGD, has also caused problems for other vendors. How did a simple image library open Junos up to attacks? Should companies stay away from open source image libraries like GD library?
It's amusing to hear that a router or piece of network equipment has a vulnerability that you would typically only expect to see on a more traditional server. This occurrence supports the need to have a comprehensive vulnerability management program.
Likewise, it seems reasonable to expect that only the absolute necessary functionality will be included in a device in order to reduce its attack surface and complexity. For example, if a web server isn't installed on a system, then the web server doesn't need to be secured or have updates installed.
Since routers and network devices have many of the same functions as a standard server, they can have similar vulnerabilities. While routers and network devices aren't typically thought of as web servers, they often have a web interface for managing devices alongside traditional command-line options.
Juniper Networks issued a security advisory regarding a serious vulnerability in their GD library -- an open source code library for the creation of dynamic images -- that affected Juniper's Junos OS, which is used in the vendor's routers and network devices.
The workarounds mentioned by Juniper Networks are to discontinue use of onboard PHP scripting and to limit access to web management, as limiting access to the router or network device is a standard best practice. Juniper Networks could have avoided the vulnerability by developing their own software for generating images or by licensing a commercial library.
However, given the complexity of software development and that their core competency is in networking, it's very reasonable for them to use a well-tested and widely used open source library, such as GD library. Regardless of the library type, Jupiter Networks still needs to update and monitor it for security vulnerabilities as part of their software development lifecycle.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Alternative operating system security
Related Q&A from Nick Lewis
Cisco Talos' Thanatos ransomware decryptor can recover files affected by new ransomware that won't decrypt ransomed files even when a ransom has been... Continue Reading
A phishing campaign targeting Trezor wallets may have poisoned DNS or hijacked BGP to gain access. Learn how the attack worked and how to mitigate it... Continue Reading
Okta researchers found a bypass that allows macOS malware to pose as signed Apple files. Discover how this is possible and how to mitigate this ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.