Hello,
My Nessus scanner returned me 3 new vulnerabilities for my vCenter 6.7 (Windows version) =>
9443/tcp - HSTS Missing From HTTPS Server
Description: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.
7444/tcp - HSTS Missing From HTTPS Server
Description: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.
5443/tcp - HSTS Missing From HTTPS Server
Description: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.
I'm looking for a way to fix that.
i didn't find any information into the Vmware KB.
Port 9443 => vSphere Web client HTTPS
Port 7444 => vCenter Single-Signe On
Port 5443 => vCenter Server graphical user interface internal
I already tried to modify the Web.xml (C:\ProgramData\VMware\vCenterServer\runtime\vsphere-client\server\configuration\conf) where i have found a section related to enable HSTS but after these changes my vCenter Web client (Flash) didn't start at all.
I have added in the "Filter definitions" section =>
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>30758400</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>blockContentTypeSniffingEnabled</param-name>
<param-value>false</param-value>
</init-param>
</filter>
And in the "Filter Mappings" section =>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<url-pattern>*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
In my company, all TCP issues have to be fixed or justified if not possible ... not always easy.
Do you have an idea ???
Did you ever figure out how to resolve this? I am having the same issue with it showing up on my Nessus scans.
also having this issue.
I am also having this issue and unable to find any documentation or information.
same issue here
I opened a support case and here was the response I received.
Regarding the vCenter HSTS errors
For VAMI interface, currently we have workaround for this errors, see below our internal KB:
=================================================================================================
Adding Strict Transport Security (HSTS) Headers to the vCenter Server Appliance Management Interface (VAMI)
Symptoms
Customers may receive reports from a security scan that the vCenter Server Appliance Management Interface lacks the Strict Transport Security (HSTS) headers.
Cause
The lighttp daemon does not include these headers by default.
Resolution
You can modify the /etc/applmgmt/appliance/lighttpd.conf file to include this header.
Replace the lines:
setenv.add-response-header = ( "X-UA-Compatible" => "IE=edge",
"X-Frame-Options" => "Deny" )
With the following:
setenv.add-response-header = ( "X-UA-Compatible" => "IE=edge",
"X-Frame-Options" => "Deny",
"Strict-Transport-Security" => "max-age=31536000; includeSubdomains" )
Restart the lighttp daemon:
systemctl restart vami-lighttp
============================================================================
For the Web Client, HSTS added fix is currently available only for VCSA 7.0 and not for VCSA 6.7.
We still have few bug reports open for VCSA 6.7 and currently we are still waiting on our engeenering team to come back with patch.
oh awesome, thanks
So far it looks like there's only a fix/workaround for VAMI/5080, but not 443 or 9443?
Port 9443 : Is redirected with the strict-transport-security header. Scanner should be adjusted accordingly. Proven by curl command: curl -L -kv https://$HOSTNAME:9443 | grep Strict-Transport-Security
Port 7444 : This port was originally used in vCenter 5.5 by the STS but it is not used in 6.5 onwards.
Customers running 6.5/6.7/7.0 appliances in their environment can disable this port to increase security.
Note:- Port 7444 will no longer be exposed in a future version of 7.x.
Workaround: Disable the firewall configuration exposing port 7444.
1. Remove the firewall configuration file
rm -f /etc/vmware/appliance/firewall/vmware-sso
2. Reboot the system or reload the firewall rules
/usr/lib/applmgmt/networking/bin/firewall-reload
To restore the original configuration that exposes port 7444:
1. Restore the symbolic link to the configuration file
/bin/ln -s -f /usr/lib/vmware-sso/firewall/sso-firewall.json /etc/vmware/appliance/firewall/vmware-sso
2. Reboot the system or reload the firewall rules
/usr/lib/applmgmt/networking/bin/firewall-reload
Port 5443 : This has not been report to VMware security team. Please file a SR with VMware Support and provide the scanner report
I ran that curl command on 9443 and got the header
< HTTP/1.1 200
< Strict-Transport-Security: max-age=31536000 ; includeSubDomains
However the scanner still shows the vulnerability on 9443
Did you mean that the scanner must be adjusted instead of adding this to /etc/httpd/httpd.conf ?
<VirtualHost www.example.com:80>
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
</VirtualHost>
Thanks in advance
Yes. 9443 is not vulnerable and should be adjusted in scanner
Is there any update on the v6.7 remediation for the HSTS issue?
Please upgrade to 6.7 U3m -and run the scanner again .
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3m-release-notes.html
We upgraded to 6.7 U3m and re-ran the scanner but did not resolve this finding. Per the Release notes for U3m, looks like this hasn't been resolved yet and also mentions there is no work around.
No fix will be out for port 5480 . Other ports reported here are fixed in 6.7 U3m. You need to upgrade to 7.0 U2.
Please specify what ports the scanner picks
Our scanner is picking this "HSTS Missing From HTTPS Server" on Port 9443 and 5580.
Port 9443 : Is redirected with the strict-transport-security header. Scanner should be adjusted accordingly. Proven by curl command: curl -L -kv https://$HOSTNAME:9443 | grep Strict-Transport-Security
For 5580; no workaround as of now. Please wait.
Can you better explain this? Our scanner is finding 9443 with this issue, our you saying we should modify the scanner to accept this because it is redirected? Is there a link from VMWare we can provide our auditors to explain this?
Never mind, I understand now.
On vCenter port 9443 was used by the now deprecated vCenter client.
Since the client is deprecated VMware is not fixing the issue, but upgrading to vCenter 7.0 resolves the issue since it does not support the old client and is not using port 9443.
Even though vcenter port 9443 is used by deprecated vCenter client, the vulnerability is still there and need to be fixed.
There must be somewhere to add the HSTS header for web page using port 9443 as well as port 5580, we don't know where is it though.
Not everyone is willing to upgrade to vCenter 7.0 just for this.