You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Demetrius Tsitrelis (JIRA)" <ji...@apache.org> on 2014/07/15 00:18:04 UTC
[jira] [Updated] (CLOUDSTACK-7092) ICMP redirection enabled
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7092?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Demetrius Tsitrelis updated CLOUDSTACK-7092:
--------------------------------------------
Component/s: (was: Network Controller)
SystemVM
> ICMP redirection enabled
> ------------------------
>
> Key: CLOUDSTACK-7092
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7092
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Components: SystemVM
> Affects Versions: 4.0.2
> Reporter: Jayapal Reddy
> Assignee: Jayapal Reddy
> Fix For: 4.5.0
>
>
> "By default, many linux systems enable a feature called ICMP redirection, where the machine will alter its route table in response to an ICMP
> redirect message from any network device.
> There is a risk that this feature could be used to subvert a host's routing table in order to compromise its security (e.g., tricking it into sending packets via a specific route where they may be sniffed or altered)."
> The below settings are already there in sysctl.conf.
> net.ipv4.conf.all.accept_redirects=0
> net.ipv4.conf.default.accept_redirects=0
> Mitigation:
> Issue the following commands as root:
> sysctl -w net.ipv4.conf.all.secure_redirects=0
> sysctl -w net.ipv4.conf.default.secure_redirects=0
> These settings can be added to /etc/sysctl.conf to make them permanent. "
--
This message was sent by Atlassian JIRA
(v6.2#6252)