Vulnerability Discussion
An illicit router advertisement message could result in a man-in-the-middle attack.
Check
Verify RHEL 9 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router.
Note: If IPv6 is disabled on the system, this requirement is Not Applicable.
Determine if router advertisements are not accepted by default by using the following command:
$ sudo sysctl net.ipv6.conf.default.accept_ra
net.ipv6.conf.default.accept_ra = 0
If the "accept_ra" value is not "0" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.
Check that the configuration files are present to enable this network parameter.
$ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv6.conf.default.accept_ra | tail -1
net.ipv6.conf.default.accept_ra = 0
If "net.ipv6.conf.default.accept_ra" is not set to "0" or is missing, this is a finding.
Fix
Configure RHEL 9 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router.
Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory:
net.ipv6.conf.default.accept_ra = 0
Load settings from all system configuration files with the following command:
$ sudo sysctl --system