You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cloudstack.apache.org by "Jayapal Reddy (JIRA)" <ji...@apache.org> on 2014/07/14 08:33:04 UTC

[jira] [Resolved] (CLOUDSTACK-7092) ICMP redirection enabled

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-7092?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jayapal Reddy resolved CLOUDSTACK-7092.
---------------------------------------

    Resolution: Fixed

> ICMP redirection enabled
> ------------------------
>
>                 Key: CLOUDSTACK-7092
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7092
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Network Controller
>    Affects Versions: 4.0.2
>            Reporter: Jayapal Reddy
>            Assignee: Jayapal Reddy
>             Fix For: 4.5.0
>
>
> "By default, many linux systems enable a feature called ICMP redirection, where the machine will alter its route table in response to an ICMP
> redirect message from any network device.
> There is a risk that this feature could be used to subvert a host's routing table in order to compromise its security (e.g., tricking it into sending packets via a specific route where they may be sniffed or altered)."
> The below settings are already there in sysctl.conf.
>  net.ipv4.conf.all.accept_redirects=0
>  net.ipv4.conf.default.accept_redirects=0
> Mitigation:
> Issue the following commands as root:
> sysctl -w net.ipv4.conf.all.secure_redirects=0
> sysctl -w net.ipv4.conf.default.secure_redirects=0
> These settings can be added to /etc/sysctl.conf to make them permanent. "



--
This message was sent by Atlassian JIRA
(v6.2#6252)