ICMP Timestamp Request Remote Date Disclosure (CVE-1999-0524)

The ICMP Timestamp Request Remote Date Disclosure vulnerability occurs when an attacker is able to send an ICMP (Internet Control Message Protocol) timestamp request to a target system, which then responds with the system's timestamp information. This can expose the exact time of the target system.

ICMP is a protocol used for network error messages and diagnostics (e.g., "ping" commands). The vulnerability specifically affects ICMP timestamp requests (type 13) and responses (type 14), which can inadvertently reveal sensitive system information like the current date and time.

Severity Rating: Low


Verifying If a System is Vulnerable

You can use tools like Nessus, hping3, or nping to check if a device is vulnerable to this issue.

Using Nessus

Scan the device using Nessus Plugin ID 10114 to check if it is susceptible to this vulnerability.

Using hping3

To check for the vulnerability with hping3, run the following command to send an ICMP timestamp request (type 13):

hping3 -1 --icmp-ts <target_ip>
  • Check for Replies: If the target system responds with an ICMP timestamp reply (type 14), this indicates that the system is vulnerable.

  • Analyze the Response: Review the timestamp in the reply. If it reveals the system’s current time or uptime, the target is vulnerable.

Using nping

You can also use nping to perform a similar test:

nping --icmp --icmp-type timestamp-request <target_ip>

If you receive an ICMP timestamp reply (type 14), your system is vulnerable to the ICMP Timestamp Request Remote Date Disclosure.

Here's what each part means:

  • "-1" sets ICMP mode

  • "--icmp-ts" specifies ICMP timestamp request (type 13)

  • <target_ip> is the IP address of your target59

This command will send an ICMP timestamp request to the specified target, which can be used to potentially disclose the remote date of the target system8.ShareRewrite


Fixing the Vulnerability

To mitigate this vulnerability, block ICMP timestamp requests (type 13) and responses (type 14) from external sources. Below are instructions for applying fixes on various platforms.

HP-UX

Run the following command to disable timestamp responses:

ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0

Cisco IOS

Use Access Control Lists (ACLs) to block timestamp requests and replies:

deny icmp any any 13
deny icmp any any 14

Linux

Use iptables to block ICMP timestamp requests and replies:

iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP

Windows NT

Block ICMP timestamp requests through the firewall.

OpenBSD

Disable timestamp responses by setting the sysctl variable:

sysctl -w net.inet.icmp.tstamprepl=0

Cisco PIX

To block timestamp requests and replies, run:

icmp deny any 13
icmp deny any 14

Sun Solaris

Disable timestamp responses with the following commands:

/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp 0
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0

Windows 2000

Block ICMP types 13 and 14 with an IPSec filter.

Windows XP / Server 2003

Disable incoming timestamp requests through the Windows Firewall settings.

Windows Vista / Server 2008

Use the netsh command to disable timestamp requests:

netsh firewall set icmpsetting 13 disable

General Solution

For all platforms, the most effective fix is to configure your firewall to block ICMP types 13 (timestamp request) and 14 (timestamp reply).


Rolling Back the Fixes

If you need to undo the changes, follow the commands specific to your platform:

HP-UX

Re-enable timestamp responses with:

ndd -set /dev/ip ip_respond_to_timestamp_broadcast 1

Cisco IOS

Remove the ACL entries:

no access-list <ACL_ID> deny icmp any any 13
no access-list <ACL_ID> deny icmp any any 14

Linux

Remove the iptables rules:

iptables -D INPUT -p icmp --icmp-type timestamp-request -j DROP
iptables -D OUTPUT -p icmp --icmp-type timestamp-reply -j DROP

Windows NT

Adjust firewall settings to allow ICMP requests.

OpenBSD

Re-enable timestamp responses with:

sysctl -w net.inet.icmp.tstamprepl=1

Cisco PIX

To enable ICMP timestamp responses again, run:

icmp permit any 13
icmp permit any 14

Sun Solaris

Re-enable timestamp responses with:

/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp 1
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 1

Windows 2000

Remove the IPSec filter that blocks ICMP types 13 and 14.

Windows XP / Server 2003

Adjust Windows Firewall settings to allow incoming timestamp requests.

Windows Vista / Server 2008

Re-enable timestamp requests using the following command:

netsh firewall set icmpsetting 13 enable

Verifying the Fix

After applying the fix, you can verify that the vulnerability has been addressed:

  1. Rescan the system with Nessus Plugin ID 10114 to ensure that the vulnerability is no longer present.

  2. Use hping3 or nping to send a timestamp request and verify that no reply is received. If no reply is received, the fix has been successfully applied.

Last updated

Was this helpful?