UCF STIG Viewer Logo

The system must not apply reversed source routing to TCP responses.


Overview

Finding ID Version Rule ID IA Controls Severity
V-226893 GEN003605 SV-226893r603265_rule Medium
Description
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
STIG Date
Solaris 10 SPARC Security Technical Implementation Guide 2022-09-07

Details

Check Text ( C-29055r484963_chk )
Determine the type of zone that you are currently securing.
# zonename

If the zone is not the global zone, determine if any interfaces are exclusive to the zone:
# dladm show-link

If the output indicates "insufficient privileges" then this requirement is not applicable.

If the zone is the global zone or the non-global zone has exclusive interfaces verify the system does not apply reversed source routing to TCP responses.

# ndd /dev/tcp tcp_rev_src_routes

If the result is not 0, this is a finding.
Fix Text (F-29043r484964_fix)
Configure the system to not apply reversed source routing to TCP responses.
# ndd -set /dev/tcp tcp_rev_src_routes 0
Also add this command to a system startup script.