You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Jayapal Reddy (JIRA)" <ji...@apache.org> on 2014/07/10 11:24:05 UTC
[jira] [Created] (CLOUDSTACK-7092) ICMP redirection enabled
Jayapal Reddy created CLOUDSTACK-7092:
-----------------------------------------
Summary: ICMP redirection enabled
Key: CLOUDSTACK-7092
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7092
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: Network Controller
Affects Versions: 4.0.2
Reporter: Jayapal Reddy
Assignee: Jayapal Reddy
Fix For: 4.5.0
"By default, many linux systems enable a feature called ICMP redirection, where the machine will alter its route table in response to an ICMP
redirect message from any network device.
There is a risk that this feature could be used to subvert a host's routing table in order to compromise its security (e.g., tricking it into sending packets via a specific route where they may be sniffed or altered)."
The below settings are already there in sysctl.conf.
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
Mitigation:
Issue the following commands as root:
sysctl -w net.ipv4.conf.all.secure_redirects=0
sysctl -w net.ipv4.conf.default.secure_redirects=0
These settings can be added to /etc/sysctl.conf to make them permanent. "
--
This message was sent by Atlassian JIRA
(v6.2#6252)