1. Introduction
Record Route is a feature that allows obtaining the traceroute path to a remote host by sending packets with the ‘Record Route’ option enabled. This can reveal internal network topology information, which could assist attackers in mapping your infrastructure. Systems running network services are usually affected. A successful exploit may lead to disclosure of network details, impacting confidentiality.
2. Technical Explanation
The vulnerability stems from the ability to request the ‘Record Route’ option during IP packet transmission. Attackers can use this feature to discover intermediate hops along a network path. There is no CVE associated with this specific information disclosure issue, as it’s considered an inherent part of the protocol functionality rather than a flaw. An attacker could send packets requesting Record Route and analyse the returned ICMP Time Exceeded messages to build a map of your network.
- Root cause: The IP protocol allows for the ‘Record Route’ option in packets, which is not always disabled or filtered by network devices.
- Exploit mechanism: An attacker sends an IP packet with the Record Route option set and analyses the responses to determine the path taken by the packet.
- Scope: Any system running a TCP/IP stack that does not filter or disable ‘Record Route’ packets is potentially affected. This includes routers, firewalls, servers, and workstations.
3. Detection and Assessment
Confirming vulnerability involves checking if the ‘Record Route’ option can be successfully used to obtain traceroute information. A quick check involves attempting a simple ping with the Record Route option set. Thorough assessment requires analysing network traffic for responses containing Record Route data.
- Quick checks: Use `ping` with the `-R` option on Linux or equivalent tools on other platforms. For example, `ping -R
` - Scanning: Nmap can be used to identify hosts that respond to ICMP requests and may reveal Record Route information during network discovery scans. (Example only).
- Logs and evidence: Examine firewall logs for packets with the IP protocol option field set, indicating a Record Route request.
ping -R 8.8.8.84. Solution / Remediation Steps
The primary solution is to block or disable ‘Record Route’ packets on network devices. This prevents attackers from obtaining traceroute information. These steps should be performed during a scheduled maintenance window.
4.1 Preparation
- Ensure you have access to the command line interface or web management console of your network devices. A roll back plan involves restoring the backed-up firewall configuration.
- Changes should be approved by a senior network engineer.
4.2 Implementation
- Step 1: Configure your firewall to drop packets with the ‘Record Route’ option set in the IP header. The exact command varies depending on the vendor (e.g., Cisco, Juniper, Fortinet).
- Step 2: Verify the configuration change by attempting a ping with the Record Route option from an external host.
- Step 3: Monitor firewall logs to ensure that packets with the ‘Record Route’ option are being dropped as expected.
4.3 Config or Code Example
Before
! No specific configuration for Record Route filtering (Cisco example)After
ip access-list extended block_record_route
deny ip any any option record-route
! Apply the ACL to relevant interfaces. (Cisco example)4.4 Security Practices Relevant to This Vulnerability
Network segmentation and least privilege can limit the impact of information disclosure. Input validation is less directly applicable here, but ensuring only necessary protocols are enabled helps reduce attack surface.
- Practice 1: Network segmentation limits the scope of any potential network mapping by an attacker.
- Practice 2: Least privilege ensures that attackers have limited access to sensitive information even if they gain some knowledge of your network topology.
4.5 Automation (Optional)
Configuration management tools like Ansible can be used to automate the deployment of firewall rules across multiple devices. Be careful when applying changes at scale.
---
- hosts: firewalls
tasks:
- name: Block Record Route packets
cisco.ios.ios_config:
lines:
- ip access-list extended block_record_route
- deny ip any any option record-route5. Verification / Validation
- Post-fix check: Run `ping -R
` again. Expected output should be no response, or a standard ICMP Time Exceeded message without Record Route data. - Re-test: Re-run the initial ping test from Section 3 to confirm that Record Route packets are now being blocked.
- Smoke test: Verify you can still access key services like DNS and web servers.
ping -R 8.8.8.8 (should not return traceroute information)6. Preventive Measures and Monitoring
- Baselines: Update your network device baseline configuration to explicitly block Record Route packets.
- Pipelines: Include checks in your CI/CD pipeline to ensure that new firewall configurations do not inadvertently re-enable Record Route functionality.
- Asset and patch process: Review firewall rules regularly as part of a change management process.
7. Risks, Side Effects, and Roll Back
Blocking Record Route packets should not impact normal network operations. However, it may affect certain diagnostic tools that rely on this functionality. The roll back steps involve restoring the backed-up firewall configuration.
- Risk or side effect 1: Some network troubleshooting tools might be affected if they rely on Record Route.
- Risk or side effect 2: Incorrectly configured firewall rules could inadvertently block legitimate traffic.
- Roll back: Restore the backed-up firewall configuration from Section 4.1.
8. References and Resources
- Vendor advisory or bulletin: Consult your network device vendor’s documentation for specific configuration instructions.
- NVD or CVE entry: No specific CVE exists for this information disclosure issue, as it is inherent to the protocol functionality.
- Product or platform documentation relevant to the fix: Refer to your firewall vendor’s documentation on IP header options filtering.