CVE-2022-27506 Hard-coded credentials allow administrators to access the shell via the SD-WAN CLI

This makes it easier to troubleshoot network issues.

To hard-code credentials, follow these steps: Go to the configuration file for the module and confirm the permissions for the file. Click to edit the configuration file and add the following line of code: user name>

password>

/root/

path> In the example below, the user name is admin and the password is password. The path can be either a local drive letter or a remote location. user name>

password>

/root/

path> Modules with hard-coded credentials can be put into a firewall rule to limit external access. An administrator can then access the module via the SD-WAN CLI or web interface.

Network-Based WAN Failover

SD-WAN provides a built-in network-based WAN failover feature. When your connection to the WAN fails, SD-WAN automatically attempts to reconnect at one of the other active zones in the network. If it's able to reconnect, you can use the command line interface (CLI) or web interface to continue using SD-WAN. If it cannot connect, you'll need to manually switch over to one of the remaining zones.

To configure for an external connection:

In order for this feature to work, your SD-WAN instances must be connected via a redundant pair of Ethernet connections. Allocate two IP addresses for your primary and secondary links.
Go into the Network Settings section of each instance and enable Failover Mode on both interfaces. In this example, we'll assume that you have two zones in your network: 10.1.1/24 and 10.2/24. Create an IP address range in each zone where all bridged traffic will go (e.g., 10.3/24). Assign those addresses as secondary links in the respective SD-WAN instances on those links (e.g., if Zone 1 has an IP address range of 10.3/24 then assign 10.3 as a secondary link in Zone 1). Assign these addresses as primary links in other zones as necessary (e.g., if Zone 2 has an IP range of 10/27 so assign 10

Installing SD-WAN SDK

SD-WAN has a set of quick and easy installation steps.

1. Download the SD-WAN SDK from the GitHub repository.
2. Extract the folder to a location on your computer.
3. Run the installer and follow the on-screen instructions for installation.
4. Run sdwan-setup to update your security policies or run sdwanctl start to start sdwan services if you are performing an initial configuration for SD-WAN

SD-WAN – the benefits of SD-WAN

SD-WAN is a secure, high-performance, and reliable software-defined wide area network (SD-WAN) solution. The SD-WAN combines multiple technologies in one platform to provide unified connections across the entire WAN. With this, enterprises can reduce costs by consolidating their network resources and create a single point of control for their traffic. Plus, the SD-WAN offers improved service delivery by providing an end-to-end solution that meets all customer needs from initial design through maintenance.
What are some of the benefits of SD-WAN?
The following list features just a few of the many benefits that come from using SD-WAN:
* Improve overall performance with real-time monitoring and dynamic load balancing for maximum throughput
* Reduce time wasted on troubleshooting by leveraging centralized management capabilities
* Increase uptime with fast failover with zero service interruption
* Offer 24/7 support through centralization of the management portal
* Enable global deployments to minimize onsite infrastructure investments
* Simplify service management with a common operations model across all locations

Configuring a Network for SD-WAN

SD-WAN uses a different authentication mode than the default authentication mode. It requires SSH credentials to authenticate as an admin account rather than using the default password that is set on the SD-WAN system. To configure this, complete these steps:
1. Go to the configuration file for the module and confirm that permissions are given to read, write, and edit files for users with user ID 1000 or higher.
2. If you have not already done so, create a new user ID with a password of your choosing (see below).
3. Add a new line in the configuration file specifying the user name and password as follows: user name>
password>
/root/path>

Disable hard-coded credentials

To disable hard-coded credentials, follow these steps:
1. Stop and start the module for the change to take effect.
2. In the configuration file, go to the line where the user name is being set and make sure that it's not being set.
3. Set a password in place of the user name to stop this from happening again.

Timeline

Published on: 04/13/2022 18:15:00 UTC
Last modified on: 04/23/2022 02:13:00 UTC

References

• https://support.citrix.com/article/CTX370550
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-27506