11-13-2012 05:12 AM - edited 02-21-2020 04:47 AM
Does anyone know the NX-OS equivalent of the IOS command 'no ip tcp timestamp'? This would be to disable tcp timestamps so an attacker cannot gather system uptime.
Thanks.
11-13-2012 06:57 PM
I don't believe it can be disabled.
As you've noted, the command is not available in NX-OS. Furthermore, there doesn't appear to be any equivalent recommended in Cisco's guide to securing NX-OS. One can only assume that Cisco does not consider it to be a vulnerability.
I checked by scanbing a Nexus 5548UP just now (with the latest NX-OS 5.2(1)N1 installed) and nmap was able to get a close estimate of the actual system uptime (varied by a couple of days from that reported from the device's CLI).
08-10-2018 07:07 AM
If Cisco do not consider it as a vulnerability and there are chances that by knowing the system time device can be exploited then why doesn't Cisco do anything about it.
Our scanner is also reporting the same TCP timestamp response vulnerability. Please someone provide us solution towards it.
12-30-2020 01:11 PM
Our scanner detected TCP timestamp response vulnerability on Nexus 7K running 8.4(3) code, yet Cisco stated switch is not affected with it. Nor provided with any evidence whether the switch is affected or not.
Anyone found workarounds? Please share!!
Thanks,
Sunny
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide