By default, many Linux systems enable a feature called ICMP redirection, where the machine will alter its route table in response to an ICMP redirect message from any network device. There is a risk that this feature could be used to subvert a host's routing table in order to compromise its security (e.g., tricking it into sending packets via a specific route where they may be sniffed or altered).
ICMP redirection enabled per default on CentOS based Linux systems.
ICMP redirection was disabled in Symantec Encryption Server version 3.3.1 MP1 and above.
The Release Notes write:
Resolved the vulnerability on Linux systems related to Internet Control Message Protocol (ICMP) redirection so that only gateways can redirect messages. [3228391]
As a temporary workaround for lower server versions the following commands can be executed as root:
# sysctl -w net.ipv4.conf.default.accept_redirects=0
# sysctl -w net.ipv4.conf.all.secure_redirects=0
# sysctl -w net.ipv4.conf.default.secure_redirects=0
These settings can be added to /etc/sysctl.conf to make them permanent.
# echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf # echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf # echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf # echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf
Applies To
PGP Universal Server / Symantec Encryption Server below 3.3.1 MP1