Security scanner reports insecure configurations of HTTP response header fields
search cancel

Security scanner reports insecure configurations of HTTP response header fields

book

Article ID: 320516

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

  • Security scanner report the header in Cloud Director UI is too permissible.
  • Content-Security-Policy-header missing unsafe-inline and unsafe-eval in the default-src- and script-src definitions.
  • In the Content-Security-Policy the following values were found for default-src and script-src parameters:
unsafe-inline
unsafe-eval
  • Example of the security report below:
Content-Security-Policy reports the : default-src * data: blob: 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * data: blob: 'unsafe-inline'; font-src * data: blob: 'unsafe-inline';
 
  • The solution suggested to establish a Content Security Policy is to first set the default-src to 'self' or ‘none’ and then build up the other directives as needed.
  • During a security audit the pentest agency complained about very lazy CSP policy.

Environment

VMware Cloud Director 10.x

Resolution

This is a known issue within VMware Cloud Director.

Cloud Director uses Cross-Origin Resource Sharing (CORS) filter implementation to maintain a list of all valid endpoints, CORS should prevent CSRF attacks,  as the CORS configuration will deny the preflight/any other request from unidentified/attacker's origin. For additional information refer to the documentation Configure CORS for VMware Cloud Director.

Generally endpoints are not vulnerable to CSRF attacks as Cloud Director does not allow cookie authentication

Powered by Wolken Software