Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Partner Shared Secret configuration

 

Information

 

Summary:

Firmware versions below introduced a new feature to mitigate CVE-2024-3544

Environment:

Product: Loadmaster

Version: 7.2.59.4 (GA), 7.2.54.10 (LTSF), 7.2.48.12 (LTS)

Platform: Any

Application: N/A

Question/Problem Description:

A shared secret configuration has been introduced to secure communications between Loadmaster partner devices, similar concept to a RADIUS shared secret.

Steps to Reproduce:  
Error Message:

Upon logging into Loadmaster after upgrade,

Please set the Partner Shared Secret used to verify communications between High Availability, Clustered, and GEO partners. Click on Certificates & Security > Remote Access in the main menu. This secret must be set to the same string on all partners.

Defect Number:  
Enhancement Number:  
Cause: The Partner Shared Secret is required to secure communications between partner devices and must be enabled on all High Availability (HA) partners, all LoadMasters in a cluster, and all GEO partners. The Partner Shared Secret must be the same on:
  • Both units in a HA setup
  • All units in a LoadMaster cluster
  • All GEO partners
  • All remote GEO machines that retrieve Virtual Services from this device
Resolution:

The shared secret must be configured individually on each HA unit, or GEO unit. It is not synchronized across HA configuration or GEO partners.

This secret can be found in the following locations:
  • Regular/shared Web User Interface (WUI): Certificates & Security > Remote Access
  • Local WUI (of a configured HA or cluster unit): Local Administration > Remote Access
This secret must have a minimum of 8 and a maximum of 127 characters. The following characters are supported:
  • Numeric: 0-9
  • Uppercase alphabetic: A-Z
  • Lowercase alphabetic: a-z
  • Special characters: !"#$%&()*+,-./:;<=>?[\~]^_@`{|}
Workaround:  
Notes:

When an incoming shared secret does not match the local Partner Shared Secret (including if only one side is providing a shared secret), a warn-level log message is recorded that says Unauthorized Remote Machine connection from <ClientIPAddress> and the connection fails.

 

2024-05-06T16:04:52+08:00 vlm02 logger: Unauthorized Remote Machine connection from 10.67.56.141
2024-05-06T16:04:57+08:00 vlm02 logger: Unauthorized Remote Machine connection from 10.67.56.141
2024-05-06T16:05:03+08:00 vlm02 logger: Unauthorized Remote Machine connection from 10.67.56.141
 

Was this article helpful?
1 out of 1 found this helpful

Comments