PGU94
Contributor
Contributor

"HSTS Missing From HTTPS Server" TCP/IP issue

Hello,

My Nessus scanner returned me 3 new vulnerabilities for my vCenter 6.7 (Windows version) =>

9443/tcp - HSTS Missing From HTTPS Server

Description: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.

7444/tcp - HSTS Missing From HTTPS Server

Description: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.

5443/tcp - HSTS Missing From HTTPS Server

Description: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.

I'm looking for a way to fix that.

i didn't find any information into the Vmware KB.

Port 9443 =>  vSphere Web client HTTPS

Port 7444 => vCenter Single-Signe On

Port 5443 => vCenter Server graphical user interface internal

I already tried to modify the Web.xml (C:\ProgramData\VMware\vCenterServer\runtime\vsphere-client\server\configuration\conf) where i have found a section related to enable HSTS but after these changes my vCenter Web client (Flash) didn't start at all.

I have added in the "Filter definitions" section =>

    <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
            <param-name>hstsEnabled</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>hstsMaxAgeSeconds</param-name>
            <param-value>30758400</param-value>
        </init-param>
        <init-param>
            <param-name>hstsIncludeSubDomains</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>antiClickJackingEnabled</param-name>
            <param-value>false</param-value>
        </init-param>
        <init-param>
            <param-name>blockContentTypeSniffingEnabled</param-name>
            <param-value>false</param-value>
        </init-param>
    </filter>

And in the "Filter Mappings" section =>

    <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <url-pattern>*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

In my company, all TCP issues have to be fixed or justified if not possible ... not always easy.

Do you have an idea ???

0 Kudos
22 Replies
tglear
Contributor
Contributor

Did you ever figure out how to resolve this? I am having the same issue with it showing up on my Nessus scans.

jasondrake1978
Contributor
Contributor

also having this issue.

0 Kudos
jpearson_ngds
Contributor
Contributor

I am also having this issue and unable to find any documentation or information.

0 Kudos
divadiow
Contributor
Contributor

same issue here

0 Kudos
jpearson_ngds
Contributor
Contributor

I opened a support case and here was the response I received.
Regarding the vCenter HSTS errors

For VAMI interface, currently we have workaround for this errors, see below our internal KB:

=================================================================================================
Adding Strict Transport Security (HSTS) Headers to the vCenter Server Appliance Management Interface (VAMI)
 
 Symptoms
Customers may receive reports from a security scan that the vCenter Server Appliance Management Interface lacks the Strict Transport Security (HSTS) headers.
 Cause
The lighttp daemon does not include these headers by default.
 Resolution
You can modify the /etc/applmgmt/appliance/lighttpd.conf file to include this header.
 
Replace the lines:
 
setenv.add-response-header = ( "X-UA-Compatible" => "IE=edge",
                               "X-Frame-Options" => "Deny" )
 
With the following:
 
setenv.add-response-header = ( "X-UA-Compatible" => "IE=edge",
                               "X-Frame-Options" => "Deny",
                               "Strict-Transport-Security" => "max-age=31536000; includeSubdomains" )
 
Restart the lighttp daemon:
 
systemctl restart vami-lighttp
============================================================================ 

For the Web Client, HSTS added fix is currently  available only for VCSA 7.0 and not for VCSA 6.7. 

We still have few bug reports open for VCSA 6.7 and currently we are still waiting on our engeenering team to come back with patch.

divadiow
Contributor
Contributor

oh awesome, thanks

0 Kudos
dstlex
Contributor
Contributor

So far it looks like there's only a fix/workaround for VAMI/5080, but not 443 or 9443?

0 Kudos
Ajay1988
VMware Employee
VMware Employee

Port 9443 : Is redirected with the strict-transport-security header. Scanner should be adjusted accordingly. Proven by curl command: curl -L -kv https://$HOSTNAME:9443 | grep Strict-Transport-Security

Port 7444 : This port was originally used in vCenter 5.5 by the STS but it is not used in 6.5 onwards.
Customers running 6.5/6.7/7.0 appliances in their environment can disable this port to increase security.

Note:- Port 7444 will no longer be exposed in a future version of 7.x.

Workaround: Disable the firewall configuration exposing port 7444.
1. Remove the firewall configuration file
rm -f /etc/vmware/appliance/firewall/vmware-sso
2. Reboot the system or reload the firewall rules
/usr/lib/applmgmt/networking/bin/firewall-reload

To restore the original configuration that exposes port 7444:
1. Restore the symbolic link to the configuration file
/bin/ln -s -f /usr/lib/vmware-sso/firewall/sso-firewall.json /etc/vmware/appliance/firewall/vmware-sso
2. Reboot the system or reload the firewall rules
/usr/lib/applmgmt/networking/bin/firewall-reload

 

Port 5443 : This  has not been report to VMware security team. Please file a SR with VMware Support and provide the scanner report

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
panizzag
Contributor
Contributor

I ran that curl command on 9443 and got the header
< HTTP/1.1 200
< Strict-Transport-Security: max-age=31536000 ; includeSubDomains

However the scanner still shows the vulnerability on 9443

Did you  mean that the scanner must be adjusted instead of adding this to /etc/httpd/httpd.conf ?


<VirtualHost www.example.com:80>

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

</VirtualHost>

 

Thanks in advance

0 Kudos
Ajay1988
VMware Employee
VMware Employee

Yes. 9443 is not vulnerable and should be  adjusted in scanner

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
fjluce2
Contributor
Contributor

Is there any update on the v6.7 remediation for the HSTS issue?

0 Kudos
Ajay1988
VMware Employee
VMware Employee

Please upgrade to 6.7 U3m -and run the scanner again .

https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3m-release-notes.html

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
0 Kudos
jriver07
Contributor
Contributor

We upgraded to 6.7 U3m and re-ran the scanner but did not resolve this finding. Per the Release notes for U3m, looks like this hasn't been resolved yet and also mentions there is no work around.

0 Kudos
Ajay1988
VMware Employee
VMware Employee

No fix will be out for port 5480  . Other ports reported here are fixed in 6.7 U3m.   You need to upgrade to 7.0 U2.

Please specify what ports the scanner picks

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
jriver07
Contributor
Contributor

Our scanner is picking this "HSTS Missing From HTTPS Server" on Port 9443 and 5580.

0 Kudos
Ajay1988
VMware Employee
VMware Employee

Port 9443 : Is redirected with the strict-transport-security header. Scanner should be adjusted accordingly. Proven by curl command: curl -L -kv https://$HOSTNAME:9443 | grep Strict-Transport-Security

For 5580; no workaround as of now. Please wait. 

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
0 Kudos
rmorrissey64
Contributor
Contributor

Can you better explain this?  Our scanner is finding 9443 with this issue, our you saying we should modify the scanner to accept this because it is redirected?  Is there a link from VMWare we can provide our auditors to explain this?

0 Kudos
rmorrissey64
Contributor
Contributor

Never mind, I understand now.

On vCenter port 9443 was used by the now deprecated vCenter client.

Since the client is deprecated VMware is not fixing the issue, but upgrading to vCenter 7.0 resolves the issue since it does not support the old client and is not using port 9443.

paul007_ts
Contributor
Contributor

Even though vcenter port 9443 is used by deprecated vCenter client, the vulnerability is still there and need to be fixed.

There must be somewhere to add the HSTS header for web page using port 9443 as well as port 5580, we don't know where is it though.

 

Not everyone is willing to upgrade to vCenter 7.0 just for this.

0 Kudos