An error occurred:

Check: GEN007860

HP-UX 11.31 STIG: GEN007860 (in versions v1 r19 through v1 r13)

Title

The system must ignore IPv6 Internet Control Message Protocol (ICMP ) redirect messages. (Cat II impact)

Discussion

ICMP redirect messages are used by routers to inform hosts of a more direct route existing for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.

Check Content

Determine if the system blocks inbound IPv6 ICMP redirects. # ipfstat -6 -i Check for a rule such as: block in quick proto icmpv6 from any to any icmpv6-type 137 If a rule blocking inbound IPv6 ICMP redirects does not exist, this is a finding.

Fix Text

Add an IPF rule to block inbound IPv6 ICMP redirect packets. Edit /etc/opt/ipf/ipf6.conf and add a rule such as: block in quick proto icmpv6 from any to any icmpv6-type 137 Reload the IPF rules. # ipf -6 -Fa -A -f /etc/opt/ipf/ipf6.conf

Additional Identifiers

Rule ID: SV-35241r1_rule

Vulnerability ID: V-22550

Group Title: GEN007860

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001551

The organization defines approved authorizations for controlling the flow of information between interconnected systems.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-4

Information Flow Enforcement