The Silicon Valley maker of networking gear said it would ship new versions of security software in the first half of this year to replace those that rely on numbers generated by Dual Elliptic Curve technology.
A team of cryptographers found that Juniper’s code had been changed in multiple ways during 2008 to enable eavesdropping on virtual private network sessions by customers.
Juniper has found and replaced two unauthorised pieces of code that allowed “back door” access, which the researchers said had appeared in 2012 and 2014.
The 2014 back door was straightforward, said researcher Hovav Shacham of the University of California, San Diego, allowing anyone with the right password to see everything.
The 2012 code changed a mathematical constant in Juniper’s Netscreen products that should have allowed its author to eavesdrop, according to Shacham and his fellow investigators.
Juniper had not explained how or why the Dual Elliptic Curve was picked.