"HSTS Missing From HTTPS Server" TCP/IP issue

PGU94 · ‎09-18-2020

Hello,

My Nessus scanner returned me 3 new vulnerabilities for my vCenter 6.7 (Windows version) =>

9443/tcp - HSTS Missing From HTTPS Server

Description: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.

7444/tcp - HSTS Missing From HTTPS Server

Description: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.

5443/tcp - HSTS Missing From HTTPS Server

Description: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.

I'm looking for a way to fix that.

i didn't find any information into the Vmware KB.

Port 9443 => vSphere Web client HTTPS

Port 7444 => vCenter Single-Signe On

Port 5443 => vCenter Server graphical user interface internal

I already tried to modify the Web.xml (C:\ProgramData\VMware\vCenterServer\runtime\vsphere-client\server\configuration\conf) where i have found a section related to enable HSTS but after these changes my vCenter Web client (Flash) didn't start at all.

I have added in the "Filter definitions" section =>

    <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
            <param-name>hstsEnabled</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>hstsMaxAgeSeconds</param-name>
            <param-value>30758400</param-value>
        </init-param>
        <init-param>
            <param-name>hstsIncludeSubDomains</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>antiClickJackingEnabled</param-name>
            <param-value>false</param-value>
        </init-param>
        <init-param>
            <param-name>blockContentTypeSniffingEnabled</param-name>
            <param-value>false</param-value>
        </init-param>
    </filter>

And in the "Filter Mappings" section =>

    <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <url-pattern>*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

In my company, all TCP issues have to be fixed or justified if not possible ... not always easy.

Do you have an idea ???

paul007_ts · ‎08-06-2021

What you mean is that Nessus should be the one to make adjustment for 9443 port issue, not us, right?

Nogie · ‎12-16-2021

Hello, was there ever a workaround developed for this issue around port 5580?

rmorrissey64 · ‎12-16-2021

From an earlier comment in March:

No fix will be out for port 5480 . Other ports reported here are fixed in 6.7 U3m. You need to upgrade to 7.0 U2.

Please specify what ports the scanner picks

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ

JakubSz · ‎07-05-2022

I have a problem with nessus scan finding for ESXi host 7.0 U3.

- HSTS Missing From HTTPS Server (RFC 6797) on port 9080

I cannot find any solution for this.

Has anyone ever had the same?

sp745p · ‎05-30-2023

I am having the same issue on ESXi 7.0.3
I have not been able to find a recently dated fix that applies to ESXi and 7.0.3 for this issue.

Ajay1988 · ‎05-30-2023

Port 9080 is for IOFilterVP service which run on esx and is internal https server which is used by only client SMS service (from VC).
SMS service communicates on this port to configure/get iofilter settings.
It is not meant to use externally. So I think HSTS is not relevant for port 9080.

Have you reported this via SR to VMware Support ?

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ

Dwalker_cgx · ‎11-16-2023

This is a poor response. Security measures should be implemented even for “internal” communications. This port is obviously used for a communication and responds when external devices hit it, so it should still provide the same modern security best practices to prevent man in the middle attacks from gathering information about hosts.

oyahyaoglu · ‎11-16-2023

also we have same issues with 9080 9443 port, but latest version of vcenter(7.0 u3o) solved the false positive issue.

FFSBES · ‎12-12-2023

Still and issue on build 22357613

moscheka · ‎02-19-2024

I still have an issue "HSTS Missing From HTTPS Server" on port 5580 in the current 7.0.3 version.
Will there be a fix or is it possible to disable port 5580?
The issue on port 9080 I get rid off by disabling IOFilter port 9080 in ESXi Firewall, my cluster was not using it, but you should ask support before doing it.

All