Ubuntu
systemd package

"accept_source_route" enabled by default in 24.04

Bug #2064966 reported by Michael Quiniola
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
systemd (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Case 384821 - https://canonical.lightning.force.com/lightning/r/Case/500N100000BS4C3IAL/view

Customer reported in 24.04 Noble that accept_source_route options in sysctl.conf are enabled by default. 22.04 Jammy ships with a 50-sysctl.conf file which disables this by default. Previous releases ship with 99-sysctl.conf, but the line disabling this feature is commented out.

In discussion on Mattermost (~Foundations, https://chat.canonical.com/canonical/pl/ytc1iyp6ai875pij3h7bzmeqoa) it was agreed that this option should be disabled by default and likely violates STIG.

See original description
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I assume you mean noble? (24.04 is noble)

My noble VM has it disabled by default:

root@sec-noble-amd64:~# more /proc/sys/net/ipv4/conf/all/accept_source_route
0

Are you seeing it enabled in a fresh noble install?

Revision history for this message
Michael Quiniola (qthepirate) wrote :

Yes I did mean noble, I corrected my typo.

It is enabled by default in a fresh install:

net.ipv4.conf.default.accept_source_route = 1
net.ipv4.conf.eno1.accept_source_route = 1
net.ipv4.conf.lo.accept_source_route = 1

description: updated
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

What's the output of sysctl net.ipv4.conf.all.accept_source_route ?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

per the documentation, "conf/all/accept_source_route must also be set to TRUE to accept packets":

https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Also, my default install of jammy has the lines commented out as well in 99-sysctl.conf, and the default value is 0:

# sysctl net.ipv4.conf.all.accept_source_route
net.ipv4.conf.all.accept_source_route = 0

Revision history for this message
Marc Deslauriers (mdeslaur) wrote (last edit ):

So, the "all" value is disabled by default on all releases, which means it's turned off by default.

The "default" value is forcible turned off also on jammy because we shipped the /usr/lib/sysctl.d/50-default.conf file by mistake, while on other releases, the "default" value is on.

Since the "all" value is turned off by default on all releases, and overrides the interface specific values, I don't see a security issue here.

Michael Quiniola (qthepirate)
Changed in systemd (Ubuntu):
status: New → Invalid
Mark Esler (eslerm)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.