CCE-45279-7Platform: cpe:/o:microsoft:windows_server_2016 | Date: (C)2017-08-03 (M)2023-07-04 |
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
Vulnerability:
This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host.
Counter Measure:
Configure the MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes entry to a value of Disabled.
The possible values for this registry entry are:
* 1 or 0. The default configuration is 1 (enabled).
In the SCE UI, these options appear as:
* Enabled
* Disabled
* Not Defined
Potential Impact:
When Routing and Remote Access Service (RRAS) is configured as an autonomous system boundary router (ASBR), it does not correctly import connected interface subnet routes. Instead, this router injects host routes into the OSPF routes. However, the OSPF router can not be used as an ASBR router, and when connected interface subnet routes are imported into OSPF the result is confusing routing tables with strange routing paths.
Fix:
(1) GPO: Computer ConfigurationAdministrative TemplatesMSS (Legacy)MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
(2) REG: HKEY_LOCAL_MACHINESystemCurrentControlSetServicesTcpipParameters!EnableICMPRedirect
Parameter:
[enable/disable]
Technical Mechanism:
(1) GPO: Computer Configuration\Administrative Templates\MSS (Legacy)\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
(2) REG: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters!EnableICMPRedirect
CCSS Severity: | CCSS Metrics: |
CCSS Score : 7.7 | Attack Vector: NETWORK |
Exploit Score: 2.2 | Attack Complexity: HIGH |
Impact Score: 5.5 | Privileges Required: NONE |
Severity: HIGH | User Interaction: NONE |
Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: LOW |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:40331 |