VMware vSphere

 View Only
Expand all | Collapse all

"HSTS Missing From HTTPS Server" TCP/IP issue

jason drake

jason drakeDec 01, 2020 03:15 PM

David Hendy

David HendyJan 12, 2021 01:08 PM

David Hendy

David HendyJan 12, 2021 01:19 PM

  • 1.  "HSTS Missing From HTTPS Server" TCP/IP issue

    Posted Sep 18, 2020 01:28 PM

    Hello,

    My Nessus scanner returned me 3 new vulnerabilities for my vCenter 6.7 (Windows version) =>

    9443/tcp - HSTS Missing From HTTPS Server

    Description: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.

    7444/tcp - HSTS Missing From HTTPS Server

    Description: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.

    5443/tcp - HSTS Missing From HTTPS Server

    Description: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.

    I'm looking for a way to fix that.

    i didn't find any information into the Vmware KB.

    Port 9443 =>  vSphere Web client HTTPS

    Port 7444 => vCenter Single-Signe On

    Port 5443 => vCenter Server graphical user interface internal

    I already tried to modify the Web.xml (C:\ProgramData\VMware\vCenterServer\runtime\vsphere-client\server\configuration\conf) where i have found a section related to enable HSTS but after these changes my vCenter Web client (Flash) didn't start at all.

    I have added in the "Filter definitions" section =>

        <filter>
            <filter-name>httpHeaderSecurity</filter-name>
            <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
            <async-supported>true</async-supported>
            <init-param>
                <param-name>hstsEnabled</param-name>
                <param-value>true</param-value>
            </init-param>
            <init-param>
                <param-name>hstsMaxAgeSeconds</param-name>
                <param-value>30758400</param-value>
            </init-param>
            <init-param>
                <param-name>hstsIncludeSubDomains</param-name>
                <param-value>true</param-value>
            </init-param>
            <init-param>
                <param-name>antiClickJackingEnabled</param-name>
                <param-value>false</param-value>
            </init-param>
            <init-param>
                <param-name>blockContentTypeSniffingEnabled</param-name>
                <param-value>false</param-value>
            </init-param>
        </filter>

    And in the "Filter Mappings" section =>

        <filter-mapping>
            <filter-name>httpHeaderSecurity</filter-name>
            <url-pattern>/*</url-pattern>
            <url-pattern>*</url-pattern>
            <dispatcher>REQUEST</dispatcher>
        </filter-mapping>

    In my company, all TCP issues have to be fixed or justified if not possible ... not always easy.

    Do you have an idea ???



  • 2.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Posted Nov 20, 2020 03:47 PM

    Did you ever figure out how to resolve this? I am having the same issue with it showing up on my Nessus scans.



  • 3.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Posted Dec 01, 2020 03:15 PM

    also having this issue.



  • 4.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Posted Dec 03, 2020 05:49 PM

    I am also having this issue and unable to find any documentation or information.



  • 5.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Posted Jan 12, 2021 01:08 PM

    same issue here



  • 6.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Posted Jan 12, 2021 01:17 PM

    I opened a support case and here was the response I received.
    Regarding the vCenter HSTS errors

    For VAMI interface, currently we have workaround for this errors, see below our internal KB:

    =================================================================================================
    Adding Strict Transport Security (HSTS) Headers to the vCenter Server Appliance Management Interface (VAMI)
     
     Symptoms
    Customers may receive reports from a security scan that the vCenter Server Appliance Management Interface lacks the Strict Transport Security (HSTS) headers.
     Cause
    The lighttp daemon does not include these headers by default.
     Resolution
    You can modify the /etc/applmgmt/appliance/lighttpd.conf file to include this header.
     
    Replace the lines:
     
    setenv.add-response-header = ( "X-UA-Compatible" => "IE=edge",
                                   "X-Frame-Options" => "Deny" )
     
    With the following:
     
    setenv.add-response-header = ( "X-UA-Compatible" => "IE=edge",
                                   "X-Frame-Options" => "Deny",
                                   "Strict-Transport-Security" => "max-age=31536000; includeSubdomains" )
     
    Restart the lighttp daemon:
     
    systemctl restart vami-lighttp
    ============================================================================ 

    For the Web Client, HSTS added fix is currently  available only for VCSA 7.0 and not for VCSA 6.7. 

    We still have few bug reports open for VCSA 6.7 and currently we are still waiting on our engeenering team to come back with patch.



  • 7.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Posted Jan 12, 2021 01:19 PM

    oh awesome, thanks



  • 8.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Posted Jan 15, 2021 06:51 PM

    So far it looks like there's only a fix/workaround for VAMI/5080, but not 443 or 9443?



  • 9.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Posted Mar 03, 2021 07:55 PM

    Is there any update on the v6.7 remediation for the HSTS issue?



  • 10.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Broadcom Employee
    Posted Mar 22, 2021 07:54 AM


  • 11.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Posted Mar 24, 2021 01:19 PM

    We upgraded to 6.7 U3m and re-ran the scanner but did not resolve this finding. Per the Release notes for U3m, looks like this hasn't been resolved yet and also mentions there is no work around.



  • 12.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Broadcom Employee
    Posted Mar 24, 2021 01:45 PM

    No fix will be out for port 5480  . Other ports reported here are fixed in 6.7 U3m.   You need to upgrade to 7.0 U2.

    Please specify what ports the scanner picks



  • 13.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Posted Mar 24, 2021 03:14 PM

    Our scanner is picking this "HSTS Missing From HTTPS Server" on Port 9443 and 5580.



  • 14.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Broadcom Employee
    Posted Mar 24, 2021 03:28 PM

    Port 9443 : Is redirected with the strict-transport-security header. Scanner should be adjusted accordingly. Proven by curl command: curl -L -kv https://$HOSTNAME:9443 | grep Strict-Transport-Security

    For 5580; no workaround as of now. Please wait. 



  • 15.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Posted May 14, 2021 03:52 PM

    Can you better explain this?  Our scanner is finding 9443 with this issue, our you saying we should modify the scanner to accept this because it is redirected?  Is there a link from VMWare we can provide our auditors to explain this?



  • 16.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Posted May 14, 2021 05:52 PM

    Never mind, I understand now.

    On vCenter port 9443 was used by the now deprecated vCenter client.

    Since the client is deprecated VMware is not fixing the issue, but upgrading to vCenter 7.0 resolves the issue since it does not support the old client and is not using port 9443.



  • 17.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Posted Aug 06, 2021 06:56 AM

    Even though vcenter port 9443 is used by deprecated vCenter client, the vulnerability is still there and need to be fixed.

    There must be somewhere to add the HSTS header for web page using port 9443 as well as port 5580, we don't know where is it though.

     

    Not everyone is willing to upgrade to vCenter 7.0 just for this.



  • 18.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Posted Aug 06, 2021 07:03 AM

    What you mean is that Nessus should be the one to make adjustment for 9443 port issue, not us, right?



  • 19.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Posted Dec 16, 2021 11:26 AM

    Hello, was there ever a workaround developed for this issue around port 5580?



  • 20.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Posted Dec 16, 2021 01:30 PM

    From an earlier comment in March:

    No fix will be out for port 5480  . Other ports reported here are fixed in 6.7 U3m.   You need to upgrade to 7.0 U2.

    Please specify what ports the scanner picks

    If you think your queries have been answered
    Mark this response as "Correct" or "Helpful".

    Regards,
    AJ


  • 21.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Posted Jul 05, 2022 01:07 PM

    I have a problem with nessus scan finding for ESXi host 7.0 U3.

    - HSTS Missing From HTTPS Server (RFC 6797)  on port 9080

    I cannot find any solution for this.

    Has anyone ever had the same?



  • 22.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Posted May 30, 2023 03:53 PM

    I am having the same issue on ESXi 7.0.3
    I have not been able to find a recently dated fix that applies to ESXi and 7.0.3 for this issue.



  • 23.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Broadcom Employee
    Posted May 31, 2023 06:49 AM
    Port 9080 is for IOFilterVP service which run on esx and is internal https server which is used by only client SMS service (from VC).
    SMS service communicates on this port to configure/get iofilter settings.
    It is not meant to use externally. So I think HSTS is not relevant for port 9080.

    Have you reported this via SR to VMware Support ?


  • 24.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Posted Nov 16, 2023 08:10 PM

    This is a poor response. Security measures should be implemented even for “internal” communications. This port is obviously used for a communication and responds when external devices hit it, so it should still provide the same modern security best practices to prevent man in the middle attacks from gathering information about hosts. 



  • 25.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Broadcom Employee
    Posted Jan 23, 2021 08:05 AM

    Port 9443 : Is redirected with the strict-transport-security header. Scanner should be adjusted accordingly. Proven by curl command: curl -L -kv https://$HOSTNAME:9443 | grep Strict-Transport-Security

    Port 7444 : This port was originally used in vCenter 5.5 by the STS but it is not used in 6.5 onwards.
    Customers running 6.5/6.7/7.0 appliances in their environment can disable this port to increase security.

    Note:- Port 7444 will no longer be exposed in a future version of 7.x.

    Workaround: Disable the firewall configuration exposing port 7444.
    1. Remove the firewall configuration file
    rm -f /etc/vmware/appliance/firewall/vmware-sso
    2. Reboot the system or reload the firewall rules
    /usr/lib/applmgmt/networking/bin/firewall-reload

    To restore the original configuration that exposes port 7444:
    1. Restore the symbolic link to the configuration file
    /bin/ln -s -f /usr/lib/vmware-sso/firewall/sso-firewall.json /etc/vmware/appliance/firewall/vmware-sso
    2. Reboot the system or reload the firewall rules
    /usr/lib/applmgmt/networking/bin/firewall-reload

     

    Port 5443 : This  has not been report to VMware security team. Please file a SR with VMware Support and provide the scanner report



  • 26.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Posted Feb 04, 2021 03:30 PM

    I ran that curl command on 9443 and got the header
    < HTTP/1.1 200
    < Strict-Transport-Security: max-age=31536000 ; includeSubDomains

    However the scanner still shows the vulnerability on 9443

    Did you  mean that the scanner must be adjusted instead of adding this to /etc/httpd/httpd.conf ?


    <VirtualHost www.example.com:80>

    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

    </VirtualHost>

     

    Thanks in advance



  • 27.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Broadcom Employee
    Posted Feb 06, 2021 01:07 AM

    Yes. 9443 is not vulnerable and should be  adjusted in scanner



  • 28.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Posted Nov 17, 2023 07:17 AM

    also we have same issues with 9080 9443 port, but latest version of vcenter(7.0 u3o) solved the false positive issue. 



  • 29.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Posted Dec 12, 2023 11:18 PM

    Still and issue on build 22357613



  • 30.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Posted Feb 19, 2024 03:28 PM

    I still have an issue "HSTS Missing From HTTPS Server" on port 5580 in the current 7.0.3 version.
    Will there be a fix or is it possible to disable port 5580?
    The issue on port 9080 I get rid off by disabling IOFilter port 9080 in ESXi Firewall, my cluster was not using it, but you should ask support before doing it.



  • 31.  RE: "HSTS Missing From HTTPS Server" TCP/IP issue

    Posted Feb 10, 2025 08:37 AM

    For anyone still following this thread, VMware / Broadcom has posted a KB (323223) article about this topic.

    vCenter Server vulnerability scan detecting HSTS Missing From HTTPS Server