Hi all,

We have an open support ticket on this but thought reaching out to the community may prove useful.

Our security scanning software has generated a ticket for each of our IC Media Servers. The vulnerability identified is " Vulnerability found for: HSTS Missing From HTTPS Server (RFC 6797)"

The description is: The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.

Question is, have any of you ran into this vulnerability with the media servers?

If so, do you have a suggested way to mitigate or add HSTS to the media servers? It seems to be related to Port 446 and the media servers web interface. We're running 2020 R2 Patch 7.

Thanks all!
#Security
#SystemAdministration

------------------------------
Shane Jenkins
SAIC
------------------------------

Hi Shane,

We had this a few years ago but it was on port 443, which is our media server web interface. To resolve it I simply disabled the HTTP/TTPS server so that the media server web interface was only accessible locally. Since it is no longer accessible externally the scans come back clean.

To do this you will want to log into the media server web interface and click on config  and go to the Administration section.  Click Disable under the http/https server.

------------------------------
Scott Williams
Missouri Higher Education Loan Authority
------------------------------

Original Message:
Sent: 12-03-2020 13:56
From: Shane Jenkins
Subject: Media Servers and HSTS Vulnerability

Hi all,

We have an open support ticket on this but thought reaching out to the community may prove useful.

Our security scanning software has generated a ticket for each of our IC Media Servers. The vulnerability identified is " Vulnerability found for: HSTS Missing From HTTPS Server (RFC 6797)"

The description is: The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.

Question is, have any of you ran into this vulnerability with the media servers?

If so, do you have a suggested way to mitigate or add HSTS to the media servers? It seems to be related to Port 446 and the media servers web interface. We're running 2020 R2 Patch 7.

Thanks all!
#Security
#SystemAdministration

------------------------------
Shane Jenkins
SAIC
------------------------------

Hello Scott,

We are doing our quarterly PCI audit and I think this may be one of our items as well.  I assume this means I need to use the browser on the media server, or is there a different interface i am not considering?

------------------------------
Christopher Becker
State of Michigan - Oakland County - WRC
------------------------------

Original Message:
Sent: 12-03-2020 14:56
From: Scott Williams
Subject: Media Servers and HSTS Vulnerability

Hi Shane,

We had this a few years ago but it was on port 443, which is our media server web interface. To resolve it I simply disabled the HTTP/TTPS server so that the media server web interface was only accessible locally. Since it is no longer accessible externally the scans come back clean.

To do this you will want to log into the media server web interface and click on config  and go to the Administration section.  Click Disable under the http/https server.

------------------------------
Scott Williams
Missouri Higher Education Loan Authority

Original Message:
Sent: 12-03-2020 13:56
From: Shane Jenkins
Subject: Media Servers and HSTS Vulnerability

Hi all,

We have an open support ticket on this but thought reaching out to the community may prove useful.

Our security scanning software has generated a ticket for each of our IC Media Servers. The vulnerability identified is " Vulnerability found for: HSTS Missing From HTTPS Server (RFC 6797)"

The description is: The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.

Question is, have any of you ran into this vulnerability with the media servers?

If so, do you have a suggested way to mitigate or add HSTS to the media servers? It seems to be related to Port 446 and the media servers web interface. We're running 2020 R2 Patch 7.

Thanks all!
#Security
#SystemAdministration

------------------------------
Shane Jenkins
SAIC
------------------------------

Yes this means you will only be able to access the media server web interface from the media server itself.

------------------------------
Scott Williams
Missouri Higher Education Loan Authority
------------------------------

Original Message:
Sent: 12-04-2020 07:31
From: Christopher Becker
Subject: Media Servers and HSTS Vulnerability

Hello Scott,

We are doing our quarterly PCI audit and I think this may be one of our items as well.  I assume this means I need to use the browser on the media server, or is there a different interface i am not considering?

------------------------------
Christopher Becker
State of Michigan - Oakland County - WRC

Original Message:
Sent: 12-03-2020 14:56
From: Scott Williams
Subject: Media Servers and HSTS Vulnerability

Hi Shane,

We had this a few years ago but it was on port 443, which is our media server web interface. To resolve it I simply disabled the HTTP/TTPS server so that the media server web interface was only accessible locally. Since it is no longer accessible externally the scans come back clean.

To do this you will want to log into the media server web interface and click on config  and go to the Administration section.  Click Disable under the http/https server.

------------------------------
Scott Williams
Missouri Higher Education Loan Authority

Original Message:
Sent: 12-03-2020 13:56
From: Shane Jenkins
Subject: Media Servers and HSTS Vulnerability

Hi all,

We have an open support ticket on this but thought reaching out to the community may prove useful.

Our security scanning software has generated a ticket for each of our IC Media Servers. The vulnerability identified is " Vulnerability found for: HSTS Missing From HTTPS Server (RFC 6797)"

The description is: The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.

Question is, have any of you ran into this vulnerability with the media servers?

If so, do you have a suggested way to mitigate or add HSTS to the media servers? It seems to be related to Port 446 and the media servers web interface. We're running 2020 R2 Patch 7.

Thanks all!
#Security
#SystemAdministration

------------------------------
Shane Jenkins
SAIC
------------------------------

All, 

Anyone have info on IC-157302 ? This SCR was referenced by support for specifically addressing the HSTS Media Server issue. I cannot seem to find much info on the SCR via the SCR Lookup tool nor in looking through the IC Summary via release notes.

I believe it is part of 2020 R3 and beyond but I'm not sure. Just checking for confirmation as I may need to file a Security exception until we upgrade again.

Thanks all!

------------------------------
Shane Jenkins
SAIC
------------------------------

Original Message:
Sent: 12-04-2020 09:08
From: Scott Williams
Subject: Media Servers and HSTS Vulnerability

Yes this means you will only be able to access the media server web interface from the media server itself.

------------------------------
Scott Williams
Missouri Higher Education Loan Authority

Original Message:
Sent: 12-04-2020 07:31
From: Christopher Becker
Subject: Media Servers and HSTS Vulnerability

Hello Scott,

We are doing our quarterly PCI audit and I think this may be one of our items as well.  I assume this means I need to use the browser on the media server, or is there a different interface i am not considering?

------------------------------
Christopher Becker
State of Michigan - Oakland County - WRC

Original Message:
Sent: 12-03-2020 14:56
From: Scott Williams
Subject: Media Servers and HSTS Vulnerability

Hi Shane,

We had this a few years ago but it was on port 443, which is our media server web interface. To resolve it I simply disabled the HTTP/TTPS server so that the media server web interface was only accessible locally. Since it is no longer accessible externally the scans come back clean.

To do this you will want to log into the media server web interface and click on config  and go to the Administration section.  Click Disable under the http/https server.

------------------------------
Scott Williams
Missouri Higher Education Loan Authority

Original Message:
Sent: 12-03-2020 13:56
From: Shane Jenkins
Subject: Media Servers and HSTS Vulnerability

Hi all,

We have an open support ticket on this but thought reaching out to the community may prove useful.

Our security scanning software has generated a ticket for each of our IC Media Servers. The vulnerability identified is " Vulnerability found for: HSTS Missing From HTTPS Server (RFC 6797)"

The description is: The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.

Question is, have any of you ran into this vulnerability with the media servers?

If so, do you have a suggested way to mitigate or add HSTS to the media servers? It seems to be related to Port 446 and the media servers web interface. We're running 2020 R2 Patch 7.

Thanks all!
#Security
#SystemAdministration

------------------------------
Shane Jenkins
SAIC
------------------------------