tharun15 - Fotolia
GD library: How did it open the Junos OS to attacks?
The GD library used in the Junos operating system has opened Junos up to attacks. Nick Lewis explains how it happened and what it means for companies using open source software.
Juniper Networks Inc. and US-CERT issued security advisories regarding a serious vulnerability in the GD graphics library used in the Junos operating system. The GD library, or LibGD, has also caused problems for other vendors. How did a simple image library open Junos up to attacks? Should companies stay away from open source image libraries like GD library?
It's amusing to hear that a router or piece of network equipment has a vulnerability that you would typically only expect to see on a more traditional server. This occurrence supports the need to have a comprehensive vulnerability management program.
Likewise, it seems reasonable to expect that only the absolute necessary functionality will be included in a device in order to reduce its attack surface and complexity. For example, if a web server isn't installed on a system, then the web server doesn't need to be secured or have updates installed.
Since routers and network devices have many of the same functions as a standard server, they can have similar vulnerabilities. While routers and network devices aren't typically thought of as web servers, they often have a web interface for managing devices alongside traditional command-line options.
Juniper Networks issued a security advisory regarding a serious vulnerability in their GD library -- an open source code library for the creation of dynamic images -- that affected Juniper's Junos OS, which is used in the vendor's routers and network devices.
The workarounds mentioned by Juniper Networks are to discontinue use of onboard PHP scripting and to limit access to web management, as limiting access to the router or network device is a standard best practice. Juniper Networks could have avoided the vulnerability by developing their own software for generating images or by licensing a commercial library.
However, given the complexity of software development and that their core competency is in networking, it's very reasonable for them to use a well-tested and widely used open source library, such as GD library. Regardless of the library type, Jupiter Networks still needs to update and monitor it for security vulnerabilities as part of their software development lifecycle.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)