[Forgot Password]
Login  Register Subscribe

23631

 
 

126951

 
 

99602

 
 

909

 
 

80198

 
 

109

Paid content will be excluded from the download.


Download | Alert*
OVAL

MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes

ID: oval:gov.nist.usgcb.windowsseven:def:127Date: (C)2012-04-13   (M)2017-10-26
Class: COMPLIANCEFamily: windows




Internet Control Message Protocol (ICMP) redirects cause the stack to plumb host routes. These routes override the Open Shortest Path First (OSPF)-generated routes, attackers can use source routed packets to conceal the address of their computer. HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect Internet Control Message Protocol (ICMP) redirects cause the stack to plumb host routes. These routes override the Open Shortest Path First (OSPF)-generated routes. Vulnerability: This behavior is expected. The problem is that the 10 minute timeout period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic is not routed properly for the affected host. Countermeasure: Configure the EnableICMPRedirect entry to 0 (disabled). Potential impact: When Routing and Remote Access Service (RRAS) is configured as an autonomous system boundary router (ASBR), it does not correctly import connected interface subnet routes. Instead, this router injects host routes into the OSPF routes. However, the OSPF router cannot be used as an ASBR router, and when connected interface subnet routes are imported into OSPF, the result is confusing routing tables with strange routing paths that can result in higher network latency and inability to connect to network resources. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes (2) REG: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters!EnableICMPRedirect

Platform:
Microsoft Windows 7
Reference:
CCE-8513-4
CPE    1
cpe:/o:microsoft:windows_7
CCE    1
CCE-8513-4
XCCDF    10
xccdf_gov.nist_benchmark_USGCB-Windows-7
xccdf_nist_benchmark_Windows_7
xccdf_org.secpod_benchmark_Windows_7
xccdf_org.secpod_benchmark_NIST_800_53_r4_Windows_7
...

© 2013 SecPod Technologies