[
https://issues.apache.org/jira/browse/CLOUDSTACK-7092?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14057325#comment-14057325
]
Jayapal Reddy commented on CLOUDSTACK-7092:
-------------------------------------------
http://linux-ip.net/html/routing-icmp.html
https://www.agwa.name/blog/post/icmp_redirect_attacks_in_the_wild
> ICMP redirection enabled
> ------------------------
>
> Key: CLOUDSTACK-7092
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7092
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Network Controller
> Affects Versions: 4.0.2
> Reporter: Jayapal Reddy
> Assignee: Jayapal Reddy
> Fix For: 4.5.0
>
>
> "By default, many linux systems enable a feature called ICMP redirection,
> where the machine will alter its route table in response to an ICMP
> redirect message from any network device.
> There is a risk that this feature could be used to subvert a host's routing
> table in order to compromise its security (e.g., tricking it into sending
> packets via a specific route where they may be sniffed or altered)."
> The below settings are already there in sysctl.conf.
> net.ipv4.conf.all.accept_redirects=0
> net.ipv4.conf.default.accept_redirects=0
> Mitigation:
> Issue the following commands as root:
> sysctl -w net.ipv4.conf.all.secure_redirects=0
> sysctl -w net.ipv4.conf.default.secure_redirects=0
> These settings can be added to /etc/sysctl.conf to make them permanent. "
--
This message was sent by Atlassian JIRA
(v6.2#6252)
