An error occurred:

Check: GEN007950

SUSE Linux Enterprise Server v11 for System z STIG: GEN007950 (in versions v1 r12 through v1 r9)

Title

The system must not respond to ICMPv6 echo requests sent to a broadcast address. (Cat II impact)

Discussion

Responding to broadcast ICMP echo requests facilitates network mapping and provides a vector for amplification attacks.

Check Content

Check for an ip6tables rule that drops inbound IPv6 ICMP ECHO_REQUESTs sent to the all-hosts multicast address. Procedure: # less /etc/sysconfig/scripts/SuSEfirewall2-custom Check for a rule in, or referenced by, the INPUT chain such as: ip6tables -A INPUT -p icmpv6 -d ff02::1 --icmpv6-type 128 -j DROP If such a rule does not exist, this is a finding.

Fix Text

Add an ip6tables rule that drops inbound IPv6 ICMP ECHO_REQUESTs sent to the all-hosts multicast address. Edit /etc/sysconfig/scripts/SuSEfirewall2-custom and add a rule in, or referenced by, the INPUT chain such as: ip6tables -A INPUT -p icmpv6 -d ff02::1 --icmpv6-type 128 -j DROP Reload the SuSEfirewall2 rules. Procedure: # rcSuSEfirewall2 restart

Additional Identifiers

Rule ID: SV-45993r1_rule

Vulnerability ID: V-23972

Group Title: GEN007950

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

The organization implements the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings