Title

The system must not apply reversed source routing to TCP responses. (Cat II impact)

Discussion

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.

Check Content

Determine if the system is configured to forward source-routed IP packets. When correctly configured, if ip_forward_src_routed is disabled, the system is also configured to disable reverse source routing to TCP responses to source-routed packets. # ndd -get /dev/ip ip_forward_src_routed If the returned value is not '0', this feature is enabled and this is a finding.

Fix Text

Disable the IP source-routed forwarding feature. # ndd -set /dev/ip ip_forward_src_routed 0 Edit /etc/rc.config.d/nddconf and add/set: TRANSPORT_NAME[x] = ip NDD_NAME[x] = ip_forward_src_routed NDD_VALUE[x] = 0

Additional Identifiers

Rule ID: SV-35028r1_rule

Vulnerability ID: V-22412

Group Title: GEN003605

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.