• ICMP ping for unsupported ICMP types is successful (e.g. ICMP timestamp request (code 13)).
• Due to security concerns (e.g. vulnerability discussed in CVE-1999-0524), desired behaviour is for the systems not to disclose system time to arbitrary hosts. 
• Due to this issue, security scan run against NSX Edge may flag the Edge as vulnerable against CVE-1999-0524.

• NSX 4.2.x

Rules files for Edge Transport Node in Edge's iptables were added for incorrect user.

This issue is resolved in VMware NSX 4.2.1.1 available at Broadcom Downloads.
If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.

To workaround this issue:

1. Download the v4rules-420-fixed and v6rules-420-fixed files attached to this KB article.
2. Ensure the checksums of downloaded files match the checksums below:
   +-------------------+----------------------------------+------------------------------------------------------------------+
|                   | md5                              | sha256                                                           |
+-------------------+----------------------------------+------------------------------------------------------------------+
| v4rules-420-fixed | a1065910a974e361e653835369c4377a | 30a009888acb7510520e99cdda688d697708a71dd8c0924abe16d7eb15ef5ffc |
+-------------------+----------------------------------+------------------------------------------------------------------+
| v6rules-420-fixed | 8de7bfae9763072c4c20aa08c3b6fcef | 40a76c76dadeb060bb64d472d6050186cefb0cba7869a081eddfe087782b051b |
+-------------------+----------------------------------+------------------------------------------------------------------+
3. Use WinSCP or similar tool to copy the two files to the Edge, please use directory /tmp.
4. SSH to the impacted Edge Transport Node as root.
5. Create a backup of directory "/etc/iptables":
   cp -r /etc/iptables /var/tmp/
6. Load the rules from the new rule files:
   iptables-restore -n /tmp/v4rules-420-fixed
iptables-restore -n /tmp/v6rules-420-fixed
   Note: if the files were copied to directory other than /tmp (in step 3.), please use correct path to the files in commands in steps 6/a and 6/b).
7. Save the iptable rules:
   iptables-save > /etc/iptables/root/v4rules
iptables-save > /etc/iptables/root/v6rules
8. Confirm all rules were applied:
   iptables -L
ip6tables -L
9. (Optional)
   1. Reboot the Edge and confirm all iptable rules are present/applied. 
   2. Check status of iptable service (should be active/running):
      systemctl status set-iptables
   3. Confirm all syslog related iptable rules are present (if applicable):
      iptables -L | grep syslog

Note:

• The workaround must be applied on every impacted Edge node.
• Any updates or Edge re-deployments will revert iptables to default configuration (workaround needs to be re-applied).