HSTS Missing From HTTPS Server (RFC 6797) for DDC servers
Article ID: CTX335402
Updated On:
Description
Security team running Nessus scans are reporting they are being notified of a finding on their controllers - HSTS Missing From HTTPS Server - Nessus Plugin ID 84502 which is a medium finding.
Environment
Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.
Resolution
On the Citrix Virtual Apps and Desktops Delivery Controller (DDC), when enabling TLS for XML and STA endpoints, customers using the Tenable’s Nessus security scanner may receive a false positive for plugin 142960. This warning indicates that a web site is not enforcing HTTP Strict Transport Security (HSTS). HSTS is an HTTP header that directs web browsers to only interact with a web site using secure communications (HTTPS).
This warning does not apply to the Citrix DDC unless the IIS role is installed, because XML and STA are strictly APIs exposed to Citrix Gateway and StoreFront and cannot be accessed via a web browser. HSTS is there to instruct web browsers to always use HTTPS. It has no impact on API clients like StoreFront and NetScaler. Our communication using this port is strictly for API clients.
As a best security practice, Citrix recommends restricting access to the XML and STA endpoints to only authorized Gateway and StoreFront servers using firewalls, IPsec, or other security mechanisms. Implementing this will also prevent the false positive from Nessus.
Device has a hostname
Device has a SSL certificate installed
If it has both of them but is missing the HSTS flag, then the plugin will flag it as vulnerable based on RFC 6797.
This warning does not apply to the Citrix DDC unless the IIS role is installed, because XML and STA are strictly APIs exposed to Citrix Gateway and StoreFront and cannot be accessed via a web browser. HSTS is there to instruct web browsers to always use HTTPS. It has no impact on API clients like StoreFront and NetScaler. Our communication using this port is strictly for API clients.
As a best security practice, Citrix recommends restricting access to the XML and STA endpoints to only authorized Gateway and StoreFront servers using firewalls, IPsec, or other security mechanisms. Implementing this will also prevent the false positive from Nessus.
Problem Cause
While Nessus scan is being performed, any device meeting the following criteria will trigger the security alert.Device has a hostname
Device has a SSL certificate installed
If it has both of them but is missing the HSTS flag, then the plugin will flag it as vulnerable based on RFC 6797.
Additional Information
We have found why the finding just recently started to be reported due to a new HSTS module
https://community.tenable.com/s/article/Difference-between-HSTS-plugins-84502-and-142960
This is a newer plugin that checks for more things including:
i. The hostname of the device
ii. The SSL certificate
iii. If it has both of them but is missing the HSTS flag, then the plugin will flag it as vulnerable based on RFC 6797.
Reason DDCs are getting flagged is due to DNS hostname and SSL certificate on the server
Tenable has a YouTube video on avoiding false positives
https://www.youtube.com/watch?v=hBTWLSOvL4c
https://community.tenable.com/s/article/Difference-between-HSTS-plugins-84502-and-142960
This is a newer plugin that checks for more things including:
i. The hostname of the device
ii. The SSL certificate
iii. If it has both of them but is missing the HSTS flag, then the plugin will flag it as vulnerable based on RFC 6797.
Reason DDCs are getting flagged is due to DNS hostname and SSL certificate on the server
Tenable has a YouTube video on avoiding false positives
https://www.youtube.com/watch?v=hBTWLSOvL4c
Was this article helpful?
Yes
No
Powered by
