[Forgot Password]
Login  Register Subscribe

23631

 
 

115038

 
 

96174

 
 

909

 
 

78077

 
 

109

Paid content will be excluded from the download.


Download | Alert*
OVAL

MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes

ID: oval:gov.nist.usgcb.windowsseven:def:127Date: (C)2012-04-13   (M)2017-10-21
Class: COMPLIANCEFamily: windows




Internet Control Message Protocol (ICMP) redirects cause the stack to plumb host routes. These routes override the Open Shortest Path First (OSPF)-generated routes, attackers can use source routed packets to conceal the address of their computer. HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect Internet Control Message Protocol (ICMP) redirects cause the stack to plumb host routes. These routes override the Open Shortest Path First (OSPF)-generated routes. Vulnerability: This behavior is expected. The problem is that the 10 minute timeout period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic is not routed properly for the affected host. Countermeasure: Configure the EnableICMPRedirect entry to 0 (disabled). Potential impact: When Routing and Remote Access Service (RRAS) is configured as an autonomous system boundary router (ASBR), it does not correctly import connected interface subnet routes. Instead, this router injects host routes into the OSPF routes. However, the OSPF router cannot be used as an ASBR router, and when connected interface subnet routes are imported into OSPF, the result is confusing routing tables with strange routing paths that can result in higher network latency and inability to connect to network resources. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes (2) REG: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters!EnableICMPRedirect

Platform:
Microsoft Windows 7
Reference:
CCE-8513-4
CPE    1
cpe:/o:microsoft:windows_7
CCE    1
CCE-8513-4
XCCDF    10
xccdf_org.secpod_benchmark_cip_std_ver3_Windows_7
xccdf_hippa_benchmark_Windows_7
xccdf_org.secpod_benchmark_ISO27001_Windows_7
xccdf_org.secpod_benchmark_NIST_800_171_R1_Windows_7
...

© 2013 SecPod Technologies