ICMP timestamp Type 13 or 14 is incorrectly observed on vCenter Server
search cancel

ICMP timestamp Type 13 or 14 is incorrectly observed on vCenter Server

book

Article ID: 308835

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

ICMP timestamp Type 13 request and Type 14 response are incorrectly seen when:

  • Scanning vCenter Server with a 3rd party Vulnerability Scanner
  • Direct ping to vCenter using ICMP Type 13 timestamp request
  • Custom VAMI firewall Rules are configured 

Environment

vCenter Server 7.x
vCenter Server 8.x

Cause

A custom firewall rule is configured with an Allow policy using the Edit the Firewall Settings to set up firewall rules to Accept traffic between vCenter Server and specific servers, hosts, or virtual machines. You cannot Allow or Block specific ports, you Allow or Block all the traffic.

ICMP timestamp Type 13 request and Type 14 response are normally dropped by the default iptables rules. That behavior is overridden by Firewall Settings using the Action (i) policy to "Accept: Allow packet with corresponding address."

The following command will list the default ICMP Type 13 and14 drop rules.

root@vcenter [ ~ ]# iptables -L INPUT -v | grep icmp
    0     0 DROP       icmp --  any    any     anywhere             anywhere             icmp timestamp-request
    0     0 DROP       icmp --  any    any     anywhere             anywhere             icmp timestamp-reply

Resolution

Edit the Firewall Settings and set the Firewall rules with Accept to Action (i) policy to "Return: Apply default or port-specific rules to packet with corresponding address."

Note, do not manually enable the iptables service or it will result in Unable to access vCenter after updating firewall rules from VAMI page when the iptables service is mistakenly enabled from the command line. vCenter services will be up and running but vCenter UI will not be accessible.

Additional Information

ICMP information (CVE-1999-0524 Detail) such as (1) netmask and (2) timestamp is allowed from arbitrary hosts.

Monitor drops with:

  • root@vcenter [ ~ ]#  watch "iptables -nvL INPUT --line-numbers | grep icmp

Monitor packet flows with:

  • root@vcenter [ ~ ]# tcpdump -n icmp

Default icmp rules if they need to be re-added:

  • root@vcenter [ ~ ]# iptables -A INPUT -p icmp --icmp-type 13  -j DROP
  • root@vcenter [ ~ ]# iptables -A INPUT -p icmp --icmp-type 14  -j DROP
  • root@vcenter [ ~ ]# iptables -A INPUT -p icmp -j ACCEPT