vCenter Server vulnerability scan detecting HSTS Missing From HTTPS Server
search cancel

vCenter Server vulnerability scan detecting HSTS Missing From HTTPS Server

book

Article ID: 323223

calendar_today

Updated On:

Products

VMware vCenter Server 7.0 VMware vCenter Server 8.0 VMware vSphere ESXi 7.0 VMware vSphere ESXi 8.0

Issue/Introduction

Vulnerability scanners may detect the remote web server is not enforcing HSTS.

Environment

VMware vCenter Server 7.x
VMware vCenter Server 8.x
VMware vSphere ESXi 7.0
VMware vSphere ESXi 8.0

Cause

TCP 9080:

Please be aware that ESXi port 9080/tcp does not send HTTP Strict Transport Security (HSTS) headers. HSTS helps protect browser connections against security downgrades. Some security scanning tools incorrectly flag the absence of HSTS on port 9080/tcp as a vulnerability, assuming that all TLS ports should be browser-compatible. However, port 9080/tcp is not a web server, does not support browser connections, and does not support unencrypted communications. Consequently, HSTS checks are irrelevant for this port. VMware is committed to reducing regulatory compliance friction for vSphere Administrators and plans to address this in future product versions. 

TCP 5580:

We would like to inform you that TCP port 5580 corresponds to the VMware POD API. This API does not support HTTP at all, thus HSTS is not relevant for this port. 

https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-702-release-notes.html 

TCP 3128: 

This port is an incoming port for smart-card based authentication for vCenter. The connection is redirected to port 3128 during smart card login. This port only supports pre-configured mutual authentication connections and is not intended as a direct browser endpoint. As such, it does not return an HSTS header. 

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.authentication.doc/GUID-DE48ED27-E48B-4FDA-B3C8-DD7127BF6879.html 

For more information, please refer to https://core.vmware.com/vmware-vsphere-8-default-ssltls-cipher-suites#hsts and https://core.vmware.com/vmware-vsphere-7-default-ssltls-cipher-suites  

TCP2379:

This is basically a bidirectional TCP port of vSphere- Tanzu
Port description: Expose the etcd server, etcd is a distributed key-value store integral in storing state for the Kubernetes control plane.

If you are not using Tanzu, you may close this port.

Resolution

If the vulnerability scanner detects this behavior, You may need to add an exception to the scanner to exclude this alert.

Powered by Wolken Software