# ICMP Timestamp Request Remote Date Disclosure (CVE-1999-0524) The **ICMP Timestamp Request Remote Date Disclosure** vulnerability occurs when an attacker is able to send an ICMP (Internet Control Message Protocol) timestamp request to a target system, which then responds with the system's timestamp information. This can expose the exact time of the target system. ICMP is a protocol used for network error messages and diagnostics (e.g., "ping" commands). The vulnerability specifically affects ICMP timestamp requests (type 13) and responses (type 14), which can inadvertently reveal sensitive system information like the current date and time. **Severity Rating**: Low *** ### Verifying If a System is Vulnerable You can use tools like **Nessus**, **hping3**, or **nping** to check if a device is vulnerable to this issue. #### Using Nessus Scan the device using **Nessus Plugin ID 10114** to check if it is susceptible to this vulnerability. #### Using hping3 To check for the vulnerability with **hping3**, run the following command to send an ICMP timestamp request (type 13): ```bash hping3 -1 --icmp-ts ``` * **Check for Replies**: If the target system responds with an ICMP timestamp reply (type 14), this indicates that the system is vulnerable. * **Analyze the Response**: Review the timestamp in the reply. If it reveals the system’s current time or uptime, the target is vulnerable. #### Using nping You can also use **nping** to perform a similar test: ```bash nping --icmp --icmp-type timestamp-request ``` If you receive an ICMP timestamp reply (type 14), your system is vulnerable to the ICMP Timestamp Request Remote Date Disclosure. Here's what each part means: * "-1" sets ICMP mode * "--icmp-ts" specifies ICMP timestamp request (type 13) * \ is the IP address of your target[5](https://denizhalil.com/2024/03/18/mastering-hping3-guide-network-security/)[9](https://gbhackers.com/hping3-network-scanner-packer-generator/) This command will send an ICMP timestamp request to the specified target, which can be used to potentially disclose the remote date of the target system[8](https://www.cyberopssec.com/2024/05/08/icmp-timestamp-request-remote-date-disclosure/).ShareRewrite
*** ### Fixing the Vulnerability To mitigate this vulnerability, block ICMP timestamp requests (type 13) and responses (type 14) from external sources. Below are instructions for applying fixes on various platforms. #### HP-UX Run the following command to disable timestamp responses: ```bash ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0 ``` #### Cisco IOS Use Access Control Lists (ACLs) to block timestamp requests and replies: ```bash deny icmp any any 13 deny icmp any any 14 ``` #### Linux Use **iptables** to block ICMP timestamp requests and replies: ```bash iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP ``` #### Windows NT Block ICMP timestamp requests through the firewall. #### OpenBSD Disable timestamp responses by setting the `sysctl` variable: ```bash sysctl -w net.inet.icmp.tstamprepl=0 ``` #### Cisco PIX To block timestamp requests and replies, run: ```bash icmp deny any 13 icmp deny any 14 ``` #### Sun Solaris Disable timestamp responses with the following commands: ```bash /usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp 0 /usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0 ``` #### Windows 2000 Block ICMP types 13 and 14 with an IPSec filter. #### Windows XP / Server 2003 Disable incoming timestamp requests through the Windows Firewall settings. #### Windows Vista / Server 2008 Use the `netsh` command to disable timestamp requests: ```bash netsh firewall set icmpsetting 13 disable ``` #### General Solution For all platforms, the most effective fix is to configure your firewall to block ICMP types 13 (timestamp request) and 14 (timestamp reply). *** ### Rolling Back the Fixes If you need to undo the changes, follow the commands specific to your platform: #### HP-UX Re-enable timestamp responses with: ```bash ndd -set /dev/ip ip_respond_to_timestamp_broadcast 1 ``` #### Cisco IOS Remove the ACL entries: ```bash no access-list deny icmp any any 13 no access-list deny icmp any any 14 ``` #### Linux Remove the **iptables** rules: ```bash iptables -D INPUT -p icmp --icmp-type timestamp-request -j DROP iptables -D OUTPUT -p icmp --icmp-type timestamp-reply -j DROP ``` #### Windows NT Adjust firewall settings to allow ICMP requests. #### OpenBSD Re-enable timestamp responses with: ```bash sysctl -w net.inet.icmp.tstamprepl=1 ``` #### Cisco PIX To enable ICMP timestamp responses again, run: ```bash icmp permit any 13 icmp permit any 14 ``` #### Sun Solaris Re-enable timestamp responses with: ```bash /usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp 1 /usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 1 ``` #### Windows 2000 Remove the IPSec filter that blocks ICMP types 13 and 14. #### Windows XP / Server 2003 Adjust Windows Firewall settings to allow incoming timestamp requests. #### Windows Vista / Server 2008 Re-enable timestamp requests using the following command: ```bash netsh firewall set icmpsetting 13 enable ``` *** ### Verifying the Fix After applying the fix, you can verify that the vulnerability has been addressed: 1. **Rescan the system** with **Nessus Plugin ID 10114** to ensure that the vulnerability is no longer present. 2. Use **hping3** or **nping** to send a timestamp request and verify that no reply is received. If no reply is received, the fix has been successfully applied.