Jayapal Reddy created CLOUDSTACK-7092:
-----------------------------------------
Summary: ICMP redirection enabled
Key: CLOUDSTACK-7092
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7092
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: Network Controller
Affects Versions: 4.0.2
Reporter: Jayapal Reddy
Assignee: Jayapal Reddy
Fix For: 4.5.0
"By default, many linux systems enable a feature called ICMP redirection, where
the machine will alter its route table in response to an ICMP
redirect message from any network device.
There is a risk that this feature could be used to subvert a host's routing
table in order to compromise its security (e.g., tricking it into sending
packets via a specific route where they may be sniffed or altered)."
The below settings are already there in sysctl.conf.
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
Mitigation:
Issue the following commands as root:
sysctl -w net.ipv4.conf.all.secure_redirects=0
sysctl -w net.ipv4.conf.default.secure_redirects=0
These settings can be added to /etc/sysctl.conf to make them permanent. "
--
This message was sent by Atlassian JIRA
(v6.2#6252)
