During a scan with openvas. every gentoo install has this problem. It was detected that the host implements RFC1323. The following timestamps were retrieved with a delay of 1 seconds in-between: Paket 1: 321774380 Paket 2: 321774480 Impact: A side effect of this feature is that the uptime of the remote host can sometimes be computed. Solution To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to /etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime. To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled' Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled. The default behavior of the TCP/IP stack on this Systems is, to not use the Timestamp options when initiating TCP connections, but use them if the TCP peer that is initiating communication includes them in their synchronize (SYN) segment. See also: http://www.microsoft.com/en-us/download/details.aspx?id=9152 Vulnerability Insight: The remote host implements TCP timestamps, as defined by RFC1323. Vulnerability Detection Method: Special IP packets are forged and sent with a little delay in between to the target IP. The responses are searched for a timestamps. If found, the timestamps are reported. References: Other: http://www.ietf.org/rfc/rfc1323.txt
Discussed with WilliamH before open the bug. I guess is not needed have it as restricted.
This isn't A3, there's no potential for DoS here. It might _barely_ qualify as A4, info disclosure, but I'm not seeing major problems coming from an attacker guessing uptime.
Security team, do you think I should do a revbump with a patch for this, or should we wait for vapier to return in August to finish converting the baselayout source tree from svn to git?
http://stackoverflow.com/questions/7880383/what-benefit-is-conferred-by-tcp-timestamp http://wayback.archive.org/web/20131123045853/http://www.localhost.re/p/solusvm-whmcs-module-316-vulnerability honestly, I wouldn't disable it for all gentoo machines. maybe put it in the security handbook at most.
Based on my understanding the timestamp in the packets is used for fingerprinting by automated scanners. This is purely information and will not tell the "Attacker" anything other then Linux is the operating system. As far as I know you can not perform any active attacks against this. This can also be turned off via: sysctl -w net.ipv4.tcp_timestamps=0 I would probably recommend that we ask the hardened project to add it to their Wiki? I personally do not see any Risk in identifying the system as Linux (without specific flavor of Linux).
i'm not seeing a problem here that needs addressing in the default sysctl.conf. maybe hardened, but only because they are pessimistic about never giving an answer to anything rather than this being a known problem.
(In reply to SpanKY from comment #6) > i'm not seeing a problem here that needs addressing in the default > sysctl.conf. maybe hardened, but only because they are pessimistic about > never giving an answer to anything rather than this being a known problem. Agreed .... closing as WONTFIX since it is a security guidance and not a vulnerability directly. If someone has objections please advise.
