topic Re: WLC 5508 GUI vulnerability "HSTS Missing From HTTPS Server" in Wireless

WLC 5508 GUI vulnerability "HSTS Missing From HTTPS Server"

albertofdez — Mon, 05 Jul 2021 19:36:37 GMT

Hi guys,

I have 2 WLC 5508s in HA with version 8.5.151.0.

In the network there is a Nessus team to detect vulnerabilities in all the devices of the network.

In the WLC it detects the vulnerability "HSTS Missing From HTTPS Server", is there a version that updates this vulnerability or some other way to mitigate it?

Thanks.

Re: WLC 5508 GUI vulnerability "HSTS Missing From HTTPS Server"

Mark Elsen — Wed, 07 Oct 2020 17:03:18 GMT

- The 5500 series doesn't support it and or versions beyond 8.5 , also note that the 5508 is EOL :

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu28292/?rfs=iqvred

Re: WLC 5508 GUI vulnerability "HSTS Missing From HTTPS Server"

patoberli — Fri, 09 Oct 2020 06:40:33 GMT

The only way to "mitigate" it, is by (warning bad advice) disabling https and only using http.

With a bit more seriousness, you can vastly lower the risk by using a CPU ACL on the WLC, limiting access to the web interface and ssh to some management client IP ranges. HSTS will then still be disabled, but at least only management IPs are able to actually access the WLC.

Re: WLC 5508 GUI vulnerability "HSTS Missing From HTTPS Server"

albertofdez — Fri, 09 Oct 2020 09:59:41 GMT

Hi,

As you say, disable https and use http, it is not a good solution, but thank you very much for the help.

The other solution seems very good to me, but the client forces me not to create ACLs or rules in the firewall to the IPs of the Nessus, with which it continues to find the vulnerability.

Thanks.

Re: WLC 5508 GUI vulnerability "HSTS Missing From HTTPS Server"

Scott Fella — Fri, 09 Oct 2020 14:59:22 GMT

Vulnerabilities like this is only fixed by the manufacturer. This should help you also when deciding what new equipment you might implement in the future.

Re: WLC 5508 GUI vulnerability "HSTS Missing From HTTPS Server"

Rich R — Fri, 09 Oct 2020 16:49:27 GMT

Just wanted to add - this is not technically a vulnerability!

It's a security enhancement feature which Cisco have chosen not to add.

Many would argue that it's not necessary since you should only be able to access the WLC from secure trusted locations over your trusted management infrastructure anyway.

That's vastly different from a public web site which is trying to mitigate against a range of person in the middle attacks.

Re: WLC 5508 GUI vulnerability "HSTS Missing From HTTPS Server"

Scott Fella — Fri, 09 Oct 2020 18:02:22 GMT

I know... with security teams I have had to work with they seem to label everything as vulnerable. It happens in our team also. We have pen test that happens every month and they hit all devices from inside which again flags these issues. Their job is to flag issues and have service line owners remediate and or work with the vendors on a remediation plan. If it will not be remedied, then a decision is made if the device has to be removed and replaced with new equipment or if there is an exception that will be made for x amount of months.

Re: WLC 5508 GUI vulnerability "HSTS Missing From HTTPS Server"

Rich R — Sat, 10 Oct 2020 09:07:31 GMT

Ha ha I think we all have the same problem Scott 🙂 Irritatingly the security people who produce these reports are often just cut/pasting from a tool and don't even understand some of the stuff they put in there until you explain it (from my experience). We haven't encountered this particular one ... yet.

Re: WLC 5508 GUI vulnerability "HSTS Missing From HTTPS Server"

Scott Fella — Sat, 10 Oct 2020 11:47:24 GMT

Lucky you!!! Every month I have to deal with these reports:)

Re: WLC 5508 GUI vulnerability "HSTS Missing From HTTPS Server"

albertofdez — Mon, 12 Oct 2020 13:38:50 GMT

Hi guys,

In this client the security department generates the reports every week and as you say, they do not worry about whether or not it really is a vulnerability, only that the equipment must be fixed or changed.

Thanks.