"HTTP Header Injection Vulnerability (http-generic-script-header-injection)" issue

how to fix "HTTP Header Injection Vulnerability (http-generic-script-header-injection)" issue on Vmware ESXi 6.0 host  ?
kwongluk_pangAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Zephyr ICTCloud ArchitectCommented:
Hi,

Are you talking about this vulnerability? It isn't valid anymore for ESXi 6.0 (or vCenter to be more precise)...

Or are you talking about something else? What exactly if you are, can you be a little more specific, do you have a reference?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
I would have to agree, you should not be concerned.
0
gheistCommented:
-generic- means that you need to check manually IF there is any vulnerability.
If you look in OWASP this text means unmodified text from any part of post was returned into page.
0
Make Network Traffic Fast and Furious with SD-WAN

Software-defined WAN (SD-WAN) is a technology that determines the most effective way to route traffic to and from datacenter sites. Register for the webinar today to learn how your business can benefit from SD-WAN!

kwongluk_pangAuthor Commented:
Yes it is a security vulnerabilities.
Our auditor use the tool to scan our ESXi6.0 Host and found "HTTP Header Injection Vulnerability (http-generic-script-header-injection)" vulnerabilities.
how to fix this issue as we need to give answer to our external auditor? any way to fix this issue? is it a know issue? any vmware article said we can ignore the above security vulnerability ?
0
gheistCommented:
He has to demonstrate that it is exploitable - that header appears on web page unfiltered.
Like example URL...
0
Zephyr ICTCloud ArchitectCommented:
Like geist mentions, it's a possible vulnerability but the auditor needs to proof it. You can show the auditor the link I gave in my first post. At this time of writing there is no known vulnerability of http response splitting for ESXi 6.0
0
gheistCommented:
Would be nice to hear about scanner you used and some OWASP or similar reference of vulnerability.
e.g. https://www.owasp.org/index.php/Top_10_2013-A1-Injection

Since it says GENERIC i'd say that scanner found a script that sets headers (e.g. cookies) and the place where they are parsed should be tested further like any other post field.
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
If you are unsure, log a support call with VMware Support, for external verification from the vendor of the software for your Auditor.
0
kwongluk_pangAuthor Commented:

VA Scanner Tool : Nexpose from Rapid7 LLC


Injected into the "P" URL parameter (Using method GET) in
https://10.xx.xx.xx/en/?P=+ADw-script+AD4-alert(42)+ADw-/script+AD4- by
changing the URL to
https://10.xx.xx.xx/en/?P=%0d%0arapid7:%20injected_value
5: HTTP/1.1 303 See Other
6: Connection: close
7: Location: /en/?P=
8: Date: Thu, 23 Apr 2015 04:46:59 GMT
5: rapid7: injected_value/
0
kwongluk_pangAuthor Commented:

Will disable the Managed Object Browser (MOB) fix the above vulnerability issue?

0
gheistCommented:
No idea. Please contact vmware support AFTER you confirm the vulnerability.
0
Zephyr ICTCloud ArchitectCommented:
I don't think that would do anything, besides, the MOB should be disabled by default, if it isn't you can disable it of course.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VMware

From novice to tech pro — start learning today.