Check: GEN007950
HP-UX 11.31 STIG:
GEN007950
(in versions v1 r19 through v1 r13)
Title
The system must not respond to ICMPv6 echo requests sent to a broadcast address. (Cat II impact)
Discussion
Responding to broadcast ICMP echo requests facilitates network mapping and provides a vector for amplification attacks.
Check Content
Determine if the system blocks inbound IPv6 ICMP echo-requests sent to the all-hosts multicast address. Procedure: # ipfstat -6 -i Check for a rule such as: block in quick proto icmpv6 from any to ff02::1 icmpv6-type 128 If a rule blocking inbound IPv6 ICMP echo-requests sent to the all-hosts multicast address does not exist, this is a finding.
Fix Text
Add an IPF rule to block inbound IPv6 ICMP ECHO_REQUEST packets sent to the all-hosts multicast address. Edit /etc/opt/ipf/ipf6.conf and add a rule such as: block in quick proto icmpv6 from any to ff02::1 icmpv6-type 128 Reload the IPF rules. # ipf -6 -Fa -A -f /etc/opt/ipf/ipf6.conf
Additional Identifiers
Rule ID: SV-29786r1_rule
Vulnerability ID: V-23972
Group Title: GEN007950
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |