Check: GEN007860
HP-UX 11.31 STIG:
GEN007860
(in versions v1 r19 through v1 r13)
Title
The system must ignore IPv6 Internet Control Message Protocol (ICMP ) redirect messages. (Cat II impact)
Discussion
ICMP redirect messages are used by routers to inform hosts of a more direct route existing for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
Check Content
Determine if the system blocks inbound IPv6 ICMP redirects. # ipfstat -6 -i Check for a rule such as: block in quick proto icmpv6 from any to any icmpv6-type 137 If a rule blocking inbound IPv6 ICMP redirects does not exist, this is a finding.
Fix Text
Add an IPF rule to block inbound IPv6 ICMP redirect packets. Edit /etc/opt/ipf/ipf6.conf and add a rule such as: block in quick proto icmpv6 from any to any icmpv6-type 137 Reload the IPF rules. # ipf -6 -Fa -A -f /etc/opt/ipf/ipf6.conf
Additional Identifiers
Rule ID: SV-35241r1_rule
Vulnerability ID: V-22550
Group Title: GEN007860
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001551 |
The organization defines approved authorizations for controlling the flow of information between interconnected systems. |
Controls
Number | Title |
---|---|
AC-4 |
Information Flow Enforcement |