UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The system must not apply reversed source routing to TCP responses.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22412 GEN003605 SV-26626r2_rule Medium
Description
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
STIG Date
Solaris 10 x86 Security Technical Implementation Guide 2018-06-29

Details

Check Text ( C-27663r2_chk )
Determine the type of zone that you are currently securing.
# zonename

If the zone is not the global zone, determine if any interfaces are exclusive to the zone:
# dladm show-link

If the output indicates "insufficient privileges" then this requirement is not applicable.

If the zone is the global zone or the non-global zone has exclusive interfaces verify the system does not apply reversed source routing to TCP responses.

# ndd /dev/tcp tcp_rev_src_routes

If the result is not 0, this is a finding.
Fix Text (F-23868r1_fix)
Configure the system to not apply reversed source routing to TCP responses.
# ndd -set /dev/tcp tcp_rev_src_routes 0
Also add this command to a system startup script.