Hvad kan vi hjælpe med?
< Alle Emner
Print

ICMP Timestamp Request Remote Date Disclosure (CVE-1999-0524)

Postet12 July 2024
Opdateret12 December 2024

**Disclaimer**: Please note that the following actions involve making changes to your system. We provide this information for guidance purposes only. We are not responsible for any damage or loss that may occur as a result of implementing these steps. It is recommended to proceed with caution and have a valid backup of your server before making any modifications.

Vulnerability Details

The “ICMP Timestamp Request Remote Date Disclosure” vulnerability involves the use of ICMP (Internet Control Message Protocol) to request and receive timestamp information from a target system. ICMP is a protocol used for error messages and operational information queries, such as ping commands. Specifically, ICMP timestamp requests (type 13) and replies (type 14) can reveal the exact time of the target system.

Severity Rating

Low

How to Verify if a Device is Vulnerable

Use Nessus plugin ID 10114 to scan the device for this vulnerability. To find out if a device is vulnerable, we can use two different tools. Hping3 or nping. Ping the Device with a Timestamp Request: Use a network utility tool like hping3 or nping to send ICMP timestamp requests to the device. Example command with hping3: Using hping3 write the following command: “hping3 -1 –icmptype 13 <target_ip>” Check for Replies: If the device responds with an ICMP timestamp reply (type 14), it indicates that the device is potentially vulnerable. Analyze the Response: Examine the timestamp in the reply to see if it reveals system time or uptime information. You can also use the tool nping.
Using nping, use the following command: “nping –icmp –icmp-type timestamp-request <target_ip>” If you receive timestamp replies, your device is vulnerable to ICMP Timestamp Request Remote Date Disclosure.

How to Fix

To fix the “ICMP Timestamp Request Remote Date Disclosure” vulnerability, we need to block the requests from an attacker. Find your platform below and apply the correct fix:

Execute the following commands depending on your system:

HP-UX

“ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0”

Cisco IOS

Use ACLs: “deny icmp any any 13 deny icmp any any 14”

Linux

Use iptables: iptables -A INPUT -p icmp –icmp-type timestamp-request -j DROP iptables -A OUTPUT -p icmp –icmp-type timestamp-reply -j DROP

Windows NT

Block ICMP at the firewall.

OpenBSD

Set sysctl variable: sysctl -w net.inet.icmp.tstamprepl=0 Cisco PIX
Disable ICMP on the internal interface: icmp deny any 13 icmp deny any 14
Sun Solaris
Execute: /usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp 0 /usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0 Windows 2000
Use IPSec filter to block ICMP types 13 and 14. Windows XP, Server 2003
Disable incoming timestamp request in Windows Firewall settings. Windows Vista, Server 2008
Use `netsh` command: netsh firewall set icmpsetting 13 disable For all platforms, configuring your firewall to block ICMP types 13 and 14 is the easiest and most effective solution.

Rollback

To roll back the fixes for ICMP timestamp disclosure, execute the following commands depending on your system: HP-UX
“ndd -set /dev/ip ip_respond_to_timestamp_broadcast 1” Cisco IOS
Remove ACL entries: no access-list <ACL_ID> deny icmp any any 13
no access-list <ACL_ID> deny icmp any any 14 Linux
Remove iptables rules:
” iptables -D INPUT -p icmp –icmp-type timestamp-request -j DROP
iptables -D OUTPUT -p icmp –icmp-type timestamp-reply -j DROP ” Windows NT
Adjust firewall settings to allow ICMP.

OpenBSD
Set sysctl variable: “sysctl -w net.inet.icmp.tstamprepl=1” Cisco PIX
Enable ICMP: “icmp permit any 13
icmp permit any 14”

Sun Solaris

“/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp 1
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 1” Windows 2000
Remove IPSec filter blocking ICMP types 13 and 14. Windows XP, Server 2003
Adjust Windows Firewall settings to allow incoming timestamp requests. Windows Vista, Server 2008
Use netsh command:
“netsh firewall set icmpsetting 13 enable” For all platforms, adjust firewall settings to allow ICMP types 13 and 14 as needed.

How to Verify the Fix

– Rescan the device with Nessus plugin ID 10114 and check for the vulnerability. Use the tools either hping3 or nping and check for responses. If server does not respond to the ICMP request, the fix has been implemented correctly.

Links (for additional resources and references)

https://www.tenable.com/plugins/nessus/10114
https://community.cisco.com/t5/routing/icmp-timestamp-request-remote-date-disclosure/td-p/5113571

Tags:
Indholdsfortegnelse