Title

The system must disable ICMP redirect messages. (Cat III impact)

Discussion

A malicious user can exploit the ability of the system to send ICMP redirects by continually sending packets to the system, forcing the system to respond with ICMP redirect messages, resulting in an adverse impact on the CPU performance of the system.

Check Content

Determine the version of Solaris 11 in use. # cat /etc/release If the version of Solaris is earlier than Solaris 11.2, determine if ICMP redirect messages are disabled. # ipadm show-prop -p _send_redirects -co current ipv4 # ipadm show-prop -p _send_redirects -co current ipv6 If the output of all commands is not "0", this is a finding. If the version of Solaris is Solaris 11.2 or later, determine if ICMP redirect messages are disabled. # ipadm show-prop -p send_redirects -co current ipv4 # ipadm show-prop -p send_redirects -co current ipv6 If the output of all commands is not "off", this is a finding.

Fix Text

The Network Management profile is required. If the version of Solaris is earlier than Solaris 11.2, disable send redirects for IPv4 and IPv6. # pfexec ipadm set-prop -p _send_redirects=0 ipv4 # pfexec ipadm set-prop -p _send_redirects=0 ipv6 If the version of Solaris is Solaris 11.2 or later, disable send redirects for IPv4 and IPv6. # pfexec ipadm set-prop -p send_redirects=off ipv4 # pfexec ipadm set-prop -p send_redirects=off ipv6

Additional Identifiers

Rule ID: SV-216139r603268_rule

Vulnerability ID: V-216139

Group Title: SRG-OS-000480

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.