VMware vSphere

Hello,

My Nessus scanner returned me 3 new vulnerabilities for my vCenter 6.7 (Windows version) =>

9443/tcp - HSTS Missing From HTTPS Server

Description: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.

7444/tcp - HSTS Missing From HTTPS Server

Description: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.

5443/tcp - HSTS Missing From HTTPS Server

Description: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.

I'm looking for a way to fix that.

i didn't find any information into the Vmware KB.

Port 9443 =>  vSphere Web client HTTPS

Port 7444 => vCenter Single-Signe On

Port 5443 => vCenter Server graphical user interface internal

I already tried to modify the Web.xml (C:\ProgramData\VMware\vCenterServer\runtime\vsphere-client\server\configuration\conf) where i have found a section related to enable HSTS but after these changes my vCenter Web client (Flash) didn't start at all.

I have added in the "Filter definitions" section =>

    <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
            <param-name>hstsEnabled</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>hstsMaxAgeSeconds</param-name>
            <param-value>30758400</param-value>
        </init-param>
        <init-param>
            <param-name>hstsIncludeSubDomains</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>antiClickJackingEnabled</param-name>
            <param-value>false</param-value>
        </init-param>
        <init-param>
            <param-name>blockContentTypeSniffingEnabled</param-name>
            <param-value>false</param-value>
        </init-param>
    </filter>

And in the "Filter Mappings" section =>

    <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <url-pattern>*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

In my company, all TCP issues have to be fixed or justified if not possible ... not always easy.

Do you have an idea ???

Did you ever figure out how to resolve this? I am having the same issue with it showing up on my Nessus scans.

also having this issue.

I am also having this issue and unable to find any documentation or information.

same issue here

I opened a support case and here was the response I received.
Regarding the vCenter HSTS errors

For VAMI interface, currently we have workaround for this errors, see below our internal KB:

=================================================================================================
Adding Strict Transport Security (HSTS) Headers to the vCenter Server Appliance Management Interface (VAMI)
 
 Symptoms
Customers may receive reports from a security scan that the vCenter Server Appliance Management Interface lacks the Strict Transport Security (HSTS) headers.
 Cause
The lighttp daemon does not include these headers by default.
 Resolution
You can modify the /etc/applmgmt/appliance/lighttpd.conf file to include this header.
 
Replace the lines:
 
setenv.add-response-header = ( "X-UA-Compatible" => "IE=edge",
                               "X-Frame-Options" => "Deny" )
 
With the following:
 
setenv.add-response-header = ( "X-UA-Compatible" => "IE=edge",
                               "X-Frame-Options" => "Deny",
                               "Strict-Transport-Security" => "max-age=31536000; includeSubdomains" )
 
Restart the lighttp daemon:
 
systemctl restart vami-lighttp
============================================================================ 

For the Web Client, HSTS added fix is currently  available only for VCSA 7.0 and not for VCSA 6.7. 

We still have few bug reports open for VCSA 6.7 and currently we are still waiting on our engeenering team to come back with patch.

oh awesome, thanks

So far it looks like there's only a fix/workaround for VAMI/5080, but not 443 or 9443?

Is there any update on the v6.7 remediation for the HSTS issue?

Please upgrade to 6.7 U3m -and run the scanner again .

https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3m-release-notes.html

We upgraded to 6.7 U3m and re-ran the scanner but did not resolve this finding. Per the Release notes for U3m, looks like this hasn't been resolved yet and also mentions there is no work around.

No fix will be out for port 5480  . Other ports reported here are fixed in 6.7 U3m.   You need to upgrade to 7.0 U2.

Please specify what ports the scanner picks

Our scanner is picking this "HSTS Missing From HTTPS Server" on Port 9443 and 5580.

Port 9443 : Is redirected with the strict-transport-security header. Scanner should be adjusted accordingly. Proven by curl command: curl -L -kv https://$HOSTNAME:9443 | grep Strict-Transport-Security

For 5580; no workaround as of now. Please wait. 

Can you better explain this?  Our scanner is finding 9443 with this issue, our you saying we should modify the scanner to accept this because it is redirected?  Is there a link from VMWare we can provide our auditors to explain this?

Never mind, I understand now.

On vCenter port 9443 was used by the now deprecated vCenter client.

Since the client is deprecated VMware is not fixing the issue, but upgrading to vCenter 7.0 resolves the issue since it does not support the old client and is not using port 9443.

Even though vcenter port 9443 is used by deprecated vCenter client, the vulnerability is still there and need to be fixed.

There must be somewhere to add the HSTS header for web page using port 9443 as well as port 5580, we don't know where is it though.

Not everyone is willing to upgrade to vCenter 7.0 just for this.

What you mean is that Nessus should be the one to make adjustment for 9443 port issue, not us, right?

Hello, was there ever a workaround developed for this issue around port 5580?

From an earlier comment in March:

No fix will be out for port 5480  . Other ports reported here are fixed in 6.7 U3m.   You need to upgrade to 7.0 U2.

Please specify what ports the scanner picks

I have a problem with nessus scan finding for ESXi host 7.0 U3.

- HSTS Missing From HTTPS Server (RFC 6797)  on port 9080

I cannot find any solution for this.

Has anyone ever had the same?

I am having the same issue on ESXi 7.0.3
I have not been able to find a recently dated fix that applies to ESXi and 7.0.3 for this issue.

This is a poor response. Security measures should be implemented even for “internal” communications. This port is obviously used for a communication and responds when external devices hit it, so it should still provide the same modern security best practices to prevent man in the middle attacks from gathering information about hosts. 

Port 9443 : Is redirected with the strict-transport-security header. Scanner should be adjusted accordingly. Proven by curl command: curl -L -kv https://$HOSTNAME:9443 | grep Strict-Transport-Security

Port 7444 : This port was originally used in vCenter 5.5 by the STS but it is not used in 6.5 onwards.
Customers running 6.5/6.7/7.0 appliances in their environment can disable this port to increase security.

Note:- Port 7444 will no longer be exposed in a future version of 7.x.

Workaround: Disable the firewall configuration exposing port 7444.
1. Remove the firewall configuration file
rm -f /etc/vmware/appliance/firewall/vmware-sso
2. Reboot the system or reload the firewall rules
/usr/lib/applmgmt/networking/bin/firewall-reload

To restore the original configuration that exposes port 7444:
1. Restore the symbolic link to the configuration file
/bin/ln -s -f /usr/lib/vmware-sso/firewall/sso-firewall.json /etc/vmware/appliance/firewall/vmware-sso
2. Reboot the system or reload the firewall rules
/usr/lib/applmgmt/networking/bin/firewall-reload

Port 5443 : This  has not been report to VMware security team. Please file a SR with VMware Support and provide the scanner report

I ran that curl command on 9443 and got the header
< HTTP/1.1 200
< Strict-Transport-Security: max-age=31536000 ; includeSubDomains

However the scanner still shows the vulnerability on 9443

Did you  mean that the scanner must be adjusted instead of adding this to /etc/httpd/httpd.conf ?

<VirtualHost www.example.com:80>

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

</VirtualHost>

Thanks in advance

Yes. 9443 is not vulnerable and should be  adjusted in scanner

also we have same issues with 9080 9443 port, but latest version of vcenter(7.0 u3o) solved the false positive issue. 

Still and issue on build 22357613

I still have an issue "HSTS Missing From HTTPS Server" on port 5580 in the current 7.0.3 version.
Will there be a fix or is it possible to disable port 5580?
The issue on port 9080 I get rid off by disabling IOFilter port 9080 in ESXi Firewall, my cluster was not using it, but you should ask support before doing it.

For anyone still following this thread, VMware / Broadcom has posted a KB (323223) article about this topic.

vCenter Server vulnerability scan detecting HSTS Missing From HTTPS Server