Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2796
Views
2
Helpful
3
Replies

HSTS Missing From HTTPS Server ISE Vulnerability on CISCO ISE

Go to solution
rajchx
Level 1
Level 1

‎05-04-2023 03:35 AM

Hi Team,

The Nessus Scanner in our Network has reported a Vulnerability "HSTS Missing From HTTPS Server (RFC 6797)" under the Plugin ID: 142960.

The details about the Vulnerability are mentioned below. I wanted to mitigate this Vulnerability on CISCO ISE Device. Kindly assist with the same.

SynopsisThe remote web server is not enforcing HSTS, as defined by RFC 6797.

DescriptionThe remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, and SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.

Recommended Solution: Configure the remote web server to use HSTS.

Link: https://www.tenable.com/plugins/nessus/142960 

2 people had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marce1000
VIP
VIP

‎05-04-2023 04:54 AM

 

 - For starters you are not mentioning your current ISE version : the general approach for Cisco products concerning security bulletins  is to upgrade to a later or latest release , especially if your are currently on an older ISE release. Below are a number of possibly related bug reports :
                                 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp54240
                                 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu73993
                                 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv85789
 
     In essence  they tell the same , upgrade to latest advisory release for Cisco ISE ; if the problem then remains important for your business , call TAC (make a ticket) . 

 M.
                                      



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

3 Replies 3

Go to solution
marce1000
VIP
VIP

‎05-04-2023 04:54 AM

 

 - For starters you are not mentioning your current ISE version : the general approach for Cisco products concerning security bulletins  is to upgrade to a later or latest release , especially if your are currently on an older ISE release. Below are a number of possibly related bug reports :
                                 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp54240
                                 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu73993
                                 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv85789
 
     In essence  they tell the same , upgrade to latest advisory release for Cisco ISE ; if the problem then remains important for your business , call TAC (make a ticket) . 

 M.
                                      



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
rajchx
Level 1
Level 1
In response to marce1000

‎05-11-2023 07:19 AM

Hi Mate,

Thanks for your response and sorry for not mentioning the current ISE version.

The ISE on my Network is running under the Version 3.0.0.458. Please find few device details below.

Personas: Administration, Monitoring, Policy Service, pxGrid (SESSION,PROFILER,DEVICE ADMIN)
Role:SEC(A), SEC(M)
FIPS Mode:Disabled
 
I wanted to understand whether the current running ISE version has an impact with this HSTS Missing From HTTPS Server (RFC 6797)" Vulnerability or not.
Please share with me the work around & solution.
0 Helpful

Go to solution
nvogtman
Level 4
Level 4
In response to rajchx

‎06-13-2023 06:16 AM

There is no work around for it. Either HSTS is there or it is not. Originally HSTS was seen as an enhancement and not as a vulnerability by vendors, so they chose not to implement it. Then Nessus and other variables came up where it started to come out in the newer releases.

In this case, you would have to upgrade to a newer code that supports HSTS. Testing an upgrade in your lab and scanning it would probably give you the best results for determining the right path to go down.

0 Helpful
Customers Also Viewed These Support Documents