Re: ICMP Timestamp Request Remote Date Disclosure

John N · ‎05-22-2024

I have 8 3850 Cisco Switches that have a vulnerability that need to be fixed. The vulnerability is ICMP Timestamp Request Remote Date Disclosure. Essentially what I need to do is filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). I am unsure how to go about this. Any assistance-feedback would be appreciated.

marce1000 · ‎05-22-2024

- FYI : https://community.cisco.com/t5/other-security-subjects/i-need-a-fix-for-cve-1999-0524/m-p/3908354#M149108
https://community.cisco.com/t5/data-center-switches/icmp-timestamp-request-remote-date-disclosure/td-p/5102310

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

wjg6786 · ‎06-21-2024

I have attempted the acls but still receive timestamps on command prompt. how do you correct this? I have looked at both threads and still cannot correctly apply it.

Richard Burts · ‎06-21-2024

Both threads describe using an acl applied inbound to filter out the timestamp request. Can you give a some information about your environment and some details about the acl that you configured and how you applied it?

I am not clear what you mean when you say "but still receive timestamps on command prompt" Where are you executing this command prompt?

HTH

Rick

wjg6786 · ‎06-21-2024

ACLs were applied to management vlan interface and did not work for us. They were then applied to the trunk interface and did not work as well. As for command prompt, we tested to see it it worked by going onto command prompt and ping -s the switch.

John N · ‎06-24-2024

I opened a ticket with TAC and they notified me that this vulnerability does not apply to is not Cisco related. It is a Linux based vulnerability. My group accepted it as a false positive/accepted risk. However, if you still want to filter the ICMP you can capture if there is any ICMP 13 and 14 traffic or not by doing the following:

monitor capture TEST interface gig 1/0/1 in control-plane both match ipv4 host <destination IP> host <IP of gig 1/0/1> buffer size 100

monitor capture TEST start

monitor capture TEST stop

show monitor capture buffer brief

no monitor capure TEST

monitor capture TEST interface gig 1/0/1 out control-plane both match ipv4 host <IP of gig 1/0/1> host <destination IP> buffer size 100

monitor capture TEST start

monitor capture TEST stop

show monitor capture buffer brief

wjg6786 · ‎06-24-2024

thanks for the reply. we are currently waiting on scans to come back and see if the acls we applied this time have worked.

rsmith92629 · ‎08-14-2024

Well did it work?

rsmith92629 · ‎09-30-2024

Here's my setup and it works fine. Nothing comes up on the scans anymore.

Create the extended access-list:

IP access-list extended icmp-timestamps
deny icmp any any timestamp-request
deny icmp any any timestamp-reply
permit ip any any

** you can also use

**deny icmp any any 13 (which = timestamp-request)

**deny icmp any any 14 (which = timestamp-reply)

Make sure you have the allow ip any any on your access list or you'll shut down whatever port you're applying it to.

Now apply the access-list to any vlan that these requests and replies are on - for example:

int vlan1
ip access-group icmp-timestamps in
ip access-group icmp-timestamps out

**This rejects anything timestamp coming in or going out.

Test it on your running config - then do a "wr mem" and forget about it!