cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3725
Views
2
Helpful
3
Replies

HSTS Missing From HTTPS Server ISE Vulnerability on CISCO ISE

rajchx
Level 1
Level 1

Hi Team,

The Nessus Scanner in our Network has reported a Vulnerability "HSTS Missing From HTTPS Server (RFC 6797)" under the Plugin ID: 142960.

The details about the Vulnerability are mentioned below. I wanted to mitigate this Vulnerability on CISCO ISE Device. Kindly assist with the same.

SynopsisThe remote web server is not enforcing HSTS, as defined by RFC 6797.

DescriptionThe remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, and SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.

Recommended Solution: Configure the remote web server to use HSTS.

Link: https://www.tenable.com/plugins/nessus/142960 

1 Accepted Solution

Accepted Solutions

marce1000
VIP
VIP

 

 - For starters you are not mentioning your current ISE version : the general approach for Cisco products concerning security bulletins  is to upgrade to a later or latest release , especially if your are currently on an older ISE release. Below are a number of possibly related bug reports :
                                 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp54240
                                 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu73993
                                 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv85789
 
     In essence  they tell the same , upgrade to latest advisory release for Cisco ISE ; if the problem then remains important for your business , call TAC (make a ticket) . 

 M.
                                      



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

3 Replies 3

marce1000
VIP
VIP

 

 - For starters you are not mentioning your current ISE version : the general approach for Cisco products concerning security bulletins  is to upgrade to a later or latest release , especially if your are currently on an older ISE release. Below are a number of possibly related bug reports :
                                 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp54240
                                 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu73993
                                 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv85789
 
     In essence  they tell the same , upgrade to latest advisory release for Cisco ISE ; if the problem then remains important for your business , call TAC (make a ticket) . 

 M.
                                      



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Hi Mate,

Thanks for your response and sorry for not mentioning the current ISE version.

The ISE on my Network is running under the Version 3.0.0.458. Please find few device details below.

Personas: Administration, Monitoring, Policy Service, pxGrid (SESSION,PROFILER,DEVICE ADMIN)
Role:SEC(A), SEC(M)
FIPS Mode:Disabled
 
I wanted to understand whether the current running ISE version has an impact with this HSTS Missing From HTTPS Server (RFC 6797)" Vulnerability or not.
Please share with me the work around & solution.

There is no work around for it. Either HSTS is there or it is not. Originally HSTS was seen as an enhancement and not as a vulnerability by vendors, so they chose not to implement it. Then Nessus and other variables came up where it started to come out in the newer releases.

In this case, you would have to upgrade to a newer code that supports HSTS. Testing an upgrade in your lab and scanning it would probably give you the best results for determining the right path to go down.