[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244411

 
 

909

 
 

193363

 
 

277

Paid content will be excluded from the download.


Download | Alert*
OVAL

MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes

ID: oval:gov.nist.usgcb.windowsseven:def:127Date: (C)2012-04-13   (M)2023-07-04
Class: COMPLIANCEFamily: windows




Internet Control Message Protocol (ICMP) redirects cause the stack to plumb host routes. These routes override the Open Shortest Path First (OSPF)-generated routes, attackers can use source routed packets to conceal the address of their computer. HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect Internet Control Message Protocol (ICMP) redirects cause the stack to plumb host routes. These routes override the Open Shortest Path First (OSPF)-generated routes. Vulnerability: This behavior is expected. The problem is that the 10 minute timeout period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic is not routed properly for the affected host. Countermeasure: Configure the EnableICMPRedirect entry to 0 (disabled). Potential impact: When Routing and Remote Access Service (RRAS) is configured as an autonomous system boundary router (ASBR), it does not correctly import connected interface subnet routes. Instead, this router injects host routes into the OSPF routes. However, the OSPF router cannot be used as an ASBR router, and when connected interface subnet routes are imported into OSPF, the result is confusing routing tables with strange routing paths that can result in higher network latency and inability to connect to network resources. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes (2) REG: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters!EnableICMPRedirect

Platform:
Microsoft Windows 7
Reference:
CCE-8513-4
CPE    1
cpe:/o:microsoft:windows_7
CCE    1
CCE-8513-4
XCCDF    11
xccdf_org.secpod_benchmark_Windows_7
xccdf_org.secpod_benchmark_general_Windows_7
xccdf_org.secpod_benchmark_HIPAA_45CFR_164_Windows_7
xccdf_hippa_benchmark_Windows_7
...

© SecPod Technologies