Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1592
Views
0
Helpful
7
Replies

ICMP Timestamp Request Remote Data Disclosure on Catalyst 9300

Jeff Horton
Level 1
Level 1

‎05-08-2024 06:54 AM

From an ACAS scan, I am getting the "ICMP Timestamp Request Remote Data Disclosure" (Tenable 10114) from one of my Catalyst 9300 switches. I am currently on IOS XE version 17.13.1. I have five other catalyst 9300s that are not showing this issue. Any idea why one would and other would not? I have compared the configurations on multiple switches with the one that is having this issue and they are all the same.

Labels:
0 Helpful
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎05-08-2024 09:01 AM

First i would check the configuraiton between those 2 devices.

One of the suggestion to add ACL :

access-list 10 deny icmp any any timestamp-request
access-list 10 deny icmp any any timestamp-reply
access-list 10 permit ip any any

 

int gig x/x

ip access-group 10 in

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

marce1000
VIP
VIP

‎05-08-2024 10:00 AM

 

 - Verify ACL solution offered  from @balaji.bandi with for instance :
               #  hping3 switch-ip-address   --icmp --icmp-ts -V

  And look into latest advisory software version , if applicable and try again with the above command , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Jeff Horton
Level 1
Level 1

‎05-08-2024 01:26 PM

I don't have that configuration on any of my other switches and they are not reporting this issue. All of them are running the same version (17.13.1).

0 Helpful

Georg Pauwen
VIP
VIP

‎05-08-2024 02:31 PM

Hello,

if you compare the time on all switches, is it exactly the same ? Which version of the plugin are you using (version 1.53 being the latest I believe) ?

https://www.tenable.com/plugins/nessus/10114?_gl=1*by96ki*_ga*ODczMDk0Mjc3LjE3MTUyMDMwOTQ.*_ga_HSJ1XWV6ND*MTcxNTIwMzA5My4xLjEuMTcxNTIwMzcxNC42MC4xLjE3NDk0MTM4MjY.

0 Helpful

Jeff Horton
Level 1
Level 1

‎05-10-2024 08:39 AM

I have no idea what version of plugin is being used as I don't do the scans.

I applied this version of ACL on my switch and applied it to my interface vlan that has the switch ip address. Waiting for CS team to rescan:

ip access-list extended 100
    deny icmp any any timestamp-request
    deny icmp any any timestamp-reply
    permit ip any any

int vlan x
    ip access-group 100 in

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Jeff Horton

‎05-12-2024 05:35 AM

keep us how it goes when you have feedback from pen testing team.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Mike H5
Level 1
Level 1

‎06-25-2024 08:36 AM

Did that ACL work? I have the same thing going on with our security scanner. I added this access list:

ip access-list ICMP_Timestamp
10 deny icmp any any timestamp-reply
20 deny icmp any any timestamp-request
30 permit ip any any

Then applied it:

interface GigabitEthernet0
ip access-group ICMP_Timestamp in

 

This resulted in ALL pings matching the timestamp-reply line and being dropped.

It only allows pings when i add:

5 permit icmp any any echo

Which I have a feeling will allow the timestamp lines as well. Its a ISR4431, this seems like odd behavior to me.

0 Helpful
Customers Also Viewed These Support Documents