This is not the latest version of the STIG. This is provided for archival purposes. See the latest STIG.

TOSS must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.

STIG ID: TOSS-04-040780  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium (CAT II)  |  CCI: CCI-000366 |  Vulnerability Id: V-253119

Vulnerability Discussion

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.

Check

Verify TOSS ignores IPv6 ICMP redirect messages.

Note: If IPv6 is disabled on the system, this requirement is Not Applicable.

Check the value of the "accept_redirects" variables with the following command:

$ sudo sysctl net.ipv6.conf.all.accept_redirects

net.ipv6.conf.all.accept_redirects = 0

If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.

Fix

Configure TOSS to ignore IPv6 ICMP redirect messages with the following command:

$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0

If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d":

net.ipv6.conf.all.accept_redirects = 0
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.