IIS Error 500 – Don’t let a vulnerability cause downtime with your SCOM web console

This article will help resolve security HSTS vulnerability CVEs on IIS10. The steps apply to Windows Server 2016+, to help resolve multiple vulnerabilities, including CVE-2023-23915 CVE-2023-23914 CVE-2017-7789. There are a few ways to configure IIS, and the blog post will show how to set up HTTP response, and HTTP redirect for the SCOM web console role’d server(s).

Setting HSTS on IIS10 to resolve with Server2016 1609

Open PowerShell window as Admin
cd c:\windows\winsxs
gci wow64_microsoft-windows-iis-shared* | ft Name

Example aim for latest directory
NOTE bottom entry based on software versioning

Example output
PS C:\windows\winsxs> gci wow64_microsoft-windows-iis-shared* | ft Name

Name
—-
wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.14393.0_none_48b28891ffe5bdae
wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.14393.1613_none_90c5a57843ef1621
wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.14393.5246_none_90f3a94643cc33e1

# AppCMD lines
.\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.enabled:True” /commit:apphost
.\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.max-age:31536000” /commit:apphost
.\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.includeSubDomains:True” /commit:apphost
.\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.redirectHttpToHttps:True” /commit:apphost

For Server2016 1709 and greater

To add the HSTS Header, follow the steps below:

Open IIS manager.
Select your site.
Open HTTP Response Headers option.
Click on Add in the Actions section.
In the Add Custom HTTP Response Header dialog, add the following values:
Name: Strict-Transport-Security
Value: max-age=31536000; includeSubDomains; preload
Or directly in web.config as below under system.webServer:

NOTE iisreset may be required to restart IIS and apply settings

Verify HTTP Response Headers

From IIS10 (IIS Manager) > click on ‘Default Web Site’ > HTTP Response Headers

Verify Strict-Transport-Security blurb matches

HSTS IIS10 HTTP Response Headers screenshot verifying settings applied

Set HTTP Redirect

Now to set the HTTP redirect, to prevent denial of service (DoS) attacks.

From IIS10 (IIS Manager) > Expand ‘Default Web Site’ > HTTP Redirect

Screenshot

Default Web Site HTTP Redirect to SCOM web console URL

From IIS10 (IIS Manager) > Expand ‘Default Web Site’ > go through each Application to set HTTP redirect

Screenshot

Set HSTS HTTP Redirect on other web applications

Test your web console URL to verify components

References

NIST CVE-2023-23915 CVE-2023-23914

Mitre CVE-2017-7789

Blog link https://inthetechpit.com/2019/07/17/add-strict-transport-security-hsts-response-header-to-iis-hosted-site/

Java vulnerabilities on your SCOM servers

If you’re responsible for security compliance with SCOM servers, there will be times when applications need to be upgraded. Current effort is Java vulnerabilities on your SCOM servers, current examples are plugIn ID’s 170161,166316. Compliance and Security are big deals, even in air-gapped networks. Why – even if external hacking risk is low, the security tools will cause administrative headaches when scanning weekly or more often. The scans can also be intrusive in nature, causing even more problems. For the Java vulnerabilities, when running some 3rd party tools, like Cisco UCS monitoring, Java is installed for the application to run. Java is like OS updates, comes up with periodic vulnerabilities popping up on your favorite security scanner software/tool (like Nessus/ACAS/Tenable+).

Oracle Java vulnerability detail links ID 170161, ID 166316

These specific vulnerabilities, the tool is looking for paths for Java 1.8.0+. Even after upgrading Java, the vulnerabilities still showed, requesting debug output, it showed two paths on C: (64 and 32bit paths).

Plugin Output:

Path : C:\Program Files (x86)\Java\jre1.8.0_341\

Installed version : 1.8.0_341 / build 8.0.341

Fixed version : Upgrade to version 8.0.361 or greater

Path : C:\Program Files\Java\jre1.8.0_341\

Installed version : 1.8.0_341 / build 8.0.341

Fixed version : Upgrade to version 8.0.361 or greater

In my case, the upgrade completed, but did not remove the old version 1.8.0_341 (vulnerable version)!

PS C:\Program Files\java> gci

Directory: C:\Program Files\java

Mode LastWriteTime Length Name

—- ————- —— —-

da—- 7/28/2022 6:27 AM jre1.8.0_341

da—- 3/15/2023 6:12 PM jre1.8.0_361

Verify Java version on affected server(s)

Verify install – whether you check from Windows Explorer for the C: drive path, or from Control Panel > Programs and Features > Installed

Java application from Programs and Features

NOTE multiple Java versions show installed on the server. For resolving the vulnerability, you’ll need to download latest update from Oracle here, install, and then remove the old versions (see that the 32 and 64 bit versions were installed)

From PowerShell as admin, go to the path where you saved the Java exe

Click Close once Java installed

Additional validation step

From Event Viewer, Application Event Log, look for MsiInstaller events to validate Java install successful

Windows Application Event Log, looking for MSIInstaller events to validate Java install successful

For me, knowing that Cisco UCS application used java, I wanted to verify the alerts in SCOM, as well as the service restarted without issue.

Happy trails, being compliant and secure!

Month: April 2023

Resolve HSTS vulnerability CVEs on IIS10

Setting HSTS on IIS10 to resolve with Server2016 1609

For Server2016 1709 and greater

Verify HTTP Response Headers

Set HTTP Redirect

ACAS scan for Java vulns PlugIn ID’s 170161,166316

Verify Java version on affected server(s)