Re: New FTD 7.26 installation Vulnerability: Missing httpOnly Cookie

cball111 · ‎06-06-2024

Can anyone tell me how they have remediated this issue? I cant seem to find ANYthing on it after numerous searches. We have the VPN portal on our FTD, and our most recent vuln. scan returned the above finding.

Rob Ingram · ‎06-06-2024

@cball111 you configure this using FlexConfig:-

https://community.cisco.com/t5/cisco-bug-discussions/cscvt31126-enh-allow-http-only-cookie-for-web-connection/td-p/4186092

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/flex-config.html

FYI, FTD 7.2.6 has been removed from cisco downloads, you should look to upgrade to 7.2.7.

cball111 · ‎06-06-2024

I tried creating the FlexConfig as you mentioned, unfortunately the deploy returns an error each time.

cball111 · ‎06-07-2024

I upgraded our FTDs/FMC to 7.2.7, but am still getting an error when I try to deploy the HTTPOnly FlexConfig:

error :
@httpOnly
^
ERROR: % Invalid input detected at '^' marker.
Config Error -- @httpOnly

I then tried it without the @ symbol, and cannot save it to the object:

cball111 · ‎06-07-2024

Salman Mahajan · ‎10-20-2024

FYI -We will be providing a UI option to enable the 'HTTP Only Flag' in FMC 7.7, which is the targeted release for next year.

Ken Stieers · ‎04-07-2025

Hey Salman!

Did the HTTP Only Flag in the UI happen?

Ken