BUG REPORT: ICMP redirection enabled on Symantec Encryption Server

book

Article ID: 158820

calendar_today

Updated On:

Products

Encryption Management Server

Issue/Introduction

By default, many Linux systems enable a feature called ICMP redirection, where the machine will alter its route table in response to an ICMP redirect message from any network device. There is a risk that this feature could be used to subvert a host's routing table in order to compromise its security (e.g., tricking it into sending packets via a specific route where they may be sniffed or altered).

Cause

ICMP redirection enabled per default on CentOS based Linux systems.

Resolution

ICMP redirection was disabled in Symantec Encryption Server version 3.3.1 MP1 and above.

The Release Notes write:

Resolved the vulnerability on Linux systems related to Internet Control Message 
Protocol (ICMP) redirection so that only gateways can redirect messages. 
[3228391]

As a temporary workaround for lower server versions the following commands can be executed as root:

# sysctl -w net.ipv4.conf.all.accept_redirects=0
# sysctl -w net.ipv4.conf.default.accept_redirects=0
# sysctl -w net.ipv4.conf.all.secure_redirects=0
# sysctl -w net.ipv4.conf.default.secure_redirects=0

These settings can be added to /etc/sysctl.conf to make them permanent.

# echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
# echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
# echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf
# echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf

Applies To

PGP Universal Server / Symantec Encryption Server below 3.3.1 MP1