You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cloudstack.apache.org by "Jayapal Reddy (JIRA)" <ji...@apache.org> on 2014/07/10 11:24:05 UTC

[jira] [Created] (CLOUDSTACK-7092) ICMP redirection enabled

Jayapal Reddy created CLOUDSTACK-7092:
-----------------------------------------

             Summary: ICMP redirection enabled
                 Key: CLOUDSTACK-7092
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7092
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: Network Controller
    Affects Versions: 4.0.2
            Reporter: Jayapal Reddy
            Assignee: Jayapal Reddy
             Fix For: 4.5.0


"By default, many linux systems enable a feature called ICMP redirection, where the machine will alter its route table in response to an ICMP
redirect message from any network device.
There is a risk that this feature could be used to subvert a host's routing table in order to compromise its security (e.g., tricking it into sending packets via a specific route where they may be sniffed or altered)."

The below settings are already there in sysctl.conf.
 net.ipv4.conf.all.accept_redirects=0
 net.ipv4.conf.default.accept_redirects=0

Mitigation:
Issue the following commands as root:
sysctl -w net.ipv4.conf.all.secure_redirects=0
sysctl -w net.ipv4.conf.default.secure_redirects=0
These settings can be added to /etc/sysctl.conf to make them permanent. "



--
This message was sent by Atlassian JIRA
(v6.2#6252)