Vulnerability scan is flagging NetScaler device as vulnerable to ICMP Timestamp Request Remote Date Disclosure Vulnerability (CVE-1999-0524) even when an ACL already exists to block ICMP type 13 traffic.

Create the below extended ACL rules similar to block traffic of ICMP type 13, 37 and 17.

Keep in mind that priority order of the rules is important, and the rules for ICMP type 37 and 17 should have a higher priority than the ICMP type 13 rule, since the packets for those ICMP types are received before.

For reference the 3 rules should look similar to the below:

add ns acl ICMP_DomainNameRequest_Block DENY -protocol ICMP -icmpType 37 -priority 8
add ns acl ICMP_AddressMaskRequest_Block DENY -protocol ICMP -icmpType 17 -priority 9
add ns acl ICMP_TimestampRequest_Block DENY -protocol ICMP -icmpType 13 -priority 10
apply ns acls

Problem Cause

Many vulnerability scans send ICMP requests of type 37 and 17 prior to ICMP requests of type 13.

Since the sessions are established initially by the ICMP type 37 and the subsequent requests are sent within the session timeout (2-3 minutes), the NetScaler considers them as part of the same session and does not enact ACL rules on the traffic.