Solved: WLC 5508 GUI vulnerability "HSTS Missing From HTTPS Server"

albertofdez · ‎10-07-2020

Hi guys,

I have 2 WLC 5508s in HA with version 8.5.151.0.

In the network there is a Nessus team to detect vulnerabilities in all the devices of the network.

In the WLC it detects the vulnerability "HSTS Missing From HTTPS Server", is there a version that updates this vulnerability or some other way to mitigate it?

Thanks.

Mark Elsen · ‎10-07-2020

- The 5500 series doesn't support it and or versions beyond 8.5 , also note that the 5508 is EOL :

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu28292/?rfs=iqvred

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

View solution in original post

patoberli · ‎10-08-2020

The only way to "mitigate" it, is by (warning bad advice) disabling https and only using http.

With a bit more seriousness, you can vastly lower the risk by using a CPU ACL on the WLC, limiting access to the web interface and ssh to some management client IP ranges. HSTS will then still be disabled, but at least only management IPs are able to actually access the WLC.

View solution in original post

Mark Elsen · ‎10-07-2020

- The 5500 series doesn't support it and or versions beyond 8.5 , also note that the 5508 is EOL :

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu28292/?rfs=iqvred

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

patoberli · ‎10-08-2020

The only way to "mitigate" it, is by (warning bad advice) disabling https and only using http.

With a bit more seriousness, you can vastly lower the risk by using a CPU ACL on the WLC, limiting access to the web interface and ssh to some management client IP ranges. HSTS will then still be disabled, but at least only management IPs are able to actually access the WLC.

albertofdez · ‎10-09-2020

Hi,

As you say, disable https and use http, it is not a good solution, but thank you very much for the help.

The other solution seems very good to me, but the client forces me not to create ACLs or rules in the firewall to the IPs of the Nessus, with which it continues to find the vulnerability.

Thanks.

Scott Fella · ‎10-09-2020

Vulnerabilities like this is only fixed by the manufacturer. This should help you also when deciding what new equipment you might implement in the future.

-Scott
*** Please rate helpful posts ***

Rich R · ‎10-09-2020

Just wanted to add - this is not technically a vulnerability!

It's a security enhancement feature which Cisco have chosen not to add.

Many would argue that it's not necessary since you should only be able to access the WLC from secure trusted locations over your trusted management infrastructure anyway.

That's vastly different from a public web site which is trying to mitigate against a range of person in the middle attacks.

------------------------------
Please click Helpful if this post helped you and Accept as Solution if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Scott Fella · ‎10-09-2020

I know... with security teams I have had to work with they seem to label everything as vulnerable. It happens in our team also. We have pen test that happens every month and they hit all devices from inside which again flags these issues. Their job is to flag issues and have service line owners remediate and or work with the vendors on a remediation plan. If it will not be remedied, then a decision is made if the device has to be removed and replaced with new equipment or if there is an exception that will be made for x amount of months.

-Scott
*** Please rate helpful posts ***

Rich R · ‎10-10-2020

Ha ha I think we all have the same problem Scott 🙂 Irritatingly the security people who produce these reports are often just cut/pasting from a tool and don't even understand some of the stuff they put in there until you explain it (from my experience). We haven't encountered this particular one ... yet.

------------------------------
Please click Helpful if this post helped you and Accept as Solution if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Scott Fella · ‎10-10-2020

Lucky you!!! Every month I have to deal with these reports:)

-Scott
*** Please rate helpful posts ***

albertofdez · ‎10-12-2020

Hi guys,

In this client the security department generates the reports every week and as you say, they do not worry about whether or not it really is a vulnerability, only that the equipment must be fixed or changed.

Thanks.