cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <>
Subject [jira] [Commented] (CLOUDSTACK-7092) ICMP redirection enabled
Date Thu, 10 Jul 2014 09:48:07 GMT


ASF subversion and git services commented on CLOUDSTACK-7092:

Commit e0d4af50626f46dcc84612aff427c6db13cc4270 in cloudstack's branch refs/heads/master from
[;h=e0d4af5 ]

CLOUDSTACK-7092: Disabled icmp redirects in VR

> ICMP redirection enabled
> ------------------------
>                 Key: CLOUDSTACK-7092
>                 URL:
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Network Controller
>    Affects Versions: 4.0.2
>            Reporter: Jayapal Reddy
>            Assignee: Jayapal Reddy
>             Fix For: 4.5.0
> "By default, many linux systems enable a feature called ICMP redirection, where the machine
will alter its route table in response to an ICMP
> redirect message from any network device.
> There is a risk that this feature could be used to subvert a host's routing table in
order to compromise its security (e.g., tricking it into sending packets via a specific route
where they may be sniffed or altered)."
> The below settings are already there in sysctl.conf.
>  net.ipv4.conf.all.accept_redirects=0
>  net.ipv4.conf.default.accept_redirects=0
> Mitigation:
> Issue the following commands as root:
> sysctl -w net.ipv4.conf.all.secure_redirects=0
> sysctl -w net.ipv4.conf.default.secure_redirects=0
> These settings can be added to /etc/sysctl.conf to make them permanent. "

This message was sent by Atlassian JIRA

View raw message