UCF STIG Viewer Logo

The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted.


Overview

Finding ID Version Rule ID IA Controls Severity
V-239178 PHTN-67-000107 SV-239178r816662_rule Medium
Description
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
STIG Date
VMware vSphere 6.7 Photon OS Security Technical Implementation Guide 2022-09-27

Details

Check Text ( C-42389r675340_chk )
At the command line, execute the following command:

# /sbin/sysctl -a --pattern "net.ipv4.conf.(all|default|eth.*).secure_redirects"

Expected result:

net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.eth0.secure_redirects = 0

If the output does not match the expected result, this is a finding.

Note: The number of "ethx" lines returned is dependent on the number of interfaces. Every "ethx" entry must be set to "0".
Fix Text (F-42348r816661_fix)
Open /etc/sysctl.conf with a text editor.

Add or update the following lines:

net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.eth0.secure_redirects = 0

Run the following command to load the new setting:

# /sbin/sysctl --load