Vulnerability Discussion
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
/etc/sysctl.d/*.conf
/run/sysctl.d/*.conf
/usr/local/lib/sysctl.d/*.conf
/usr/lib/sysctl.d/*.conf
/lib/sysctl.d/*.conf
/etc/sysctl.conf
Check
Verify OL 8 will not accept IPv4 ICMP redirect messages.
Check the value of the default "accept_redirects" variables with the following command:
$ sudo sysctl net.ipv4.conf.default.accept_redirects
net.ipv4.conf.default.accept_redirects = 0
If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.
Check that the configuration files are present to enable this network parameter.
$ sudo grep -r net.ipv4.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.accept_redirects = 0
If "net.ipv4.conf.default.accept_redirects" is not set to "0", is missing or commented out, this is a finding.
If conflicting results are returned, this is a finding.
Fix
Configure OL 8 to prevent IPv4 ICMP redirect messages from being accepted with the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d":
net.ipv4.conf.default.accept_redirects=0