Dell Unity: HSTS Missing From HTTPS Server-User Correctable

A Vulnerability scanner is reporting HSTS missing from HTTPS servers on a Dell Unity array running Dell Unity OE revision 4.2.1.9535982 or later.

This may be a False Positive scanner error.

As of Dell Unity Operating Environment (OE) revision 4.2.1, Unity includes HSTS on port 443, 8443, and 8444.  

As of Dell Unity OE revision 5.3, Unity includes HSTS enhancements on port 5989. However a scanner program still reports the port as a vulnerability.

There is a workaround to disable port 5989 on Unity. Dell does not recommend this method and strongly suggests implementing an external network change instead. If access must be blocked to port 5989 (that is to place Unity behind a firewall), Dell can disable port 5989. Dell Technical Support must be engaged to make this change. Contact Dell Technical Support or your Authorized Service Provider and quote this Dell Knowledge Base article ID.

For more information about Ports used in Unity's Security, go to Dell Support and look for 'Security Configuration Guide.'  Search for this document: Dell Unity Family Security Configuration Guide

HTTP Strict Transport Security (HSTS) is a security-related HTTP Response header, which instructs client browsers to only access the site over an HTTPS connection. This instructs the browser to enforce this restriction instead of only relying on server-side redirects. The HTTP Strict Transport Security header helps reduce the successful exploitation of man-in-the-middle attacks that are used to eavesdrop or interact with client sessions.

A workaround is available which allows the Unity UEMCLI and Unisphere to work with the management service internally on port 5989. The change disables the connection on port 5989 from external workstations or servers. However, Dell Technical Support must implement this workaround as it is not available for customer remediation. Contact Dell Technical Support or your Authorized Service Provider and quote this Dell Knowledge Base article ID.

Important Note:

• These changes have to be made to both Unity Storage Processors (SPs), otherwise the configuration will be lost after a management service failover (shutdown, reboot, and so forth)
• These changes are overwritten when any Unity OE code upgrade is performed. Once the Array has been upgraded for, these changes have to be re-configured, if the changes must remain.