BUG REPORT: ICMP redirection enabled on Symantec Encryption Server
Last Updated January 09, 2014
By default, many Linux systems enable a feature called ICMP redirection, where the machine will alter its route table in response to an ICMP redirect message from any network device. There is a risk that this feature could be used to subvert a host's routing table in order to compromise its security (e.g., tricking it into sending packets via a specific route where they may be sniffed or altered).
ICMP redirection enabled per default on CentOS based Linux systems.
ICMP redirection was disabled in Symantec Encryption Server version 3.3.1 MP1 and above.
The Release Notes write:
Resolved the vulnerability on Linux systems related to Internet Control Message
Protocol (ICMP) redirection so that only gateways can redirect messages.
As a temporary workaround for lower server versions the following commands can be executed as root: