UCF STIG Viewer Logo

The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted.


Finding ID Version Rule ID IA Controls Severity
V-258889 PHTN-40-000226 SV-258889r933728_rule Medium
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide 2023-10-29


Check Text ( C-62629r933726_chk )
At the command line, run the following command to verify ICMP secure redirects are not accepted:

# /sbin/sysctl -a --pattern "net.ipv4.conf.(all|default).secure_redirects"

Expected result:

net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

If the "secure_redirects" kernel parameters are not set to "0", this is a finding.
Fix Text (F-62538r933727_fix)
Navigate to and open:


Add or update the following lines:

net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

At the command line, run the following command to load the new configuration:

# /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf

Note: If the file zz-stig-hardening.conf does not exist, it must be created.