Veeam 12 HSTS Missing From HTTPS Server port 6172

[dannyb1971]

Hi,

I'm testing now Veeam Backup & Replication 12 , Build 12.0.0.1420 P20230412 on Windows 2019. part of my security task , I ran the Tenable scanner and received the vulnerability issue on port 6172. any idea how to enforcing HSTS on port 6172.

From Tenable
Description
The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.

Output from most recent scan

The remote HTTPS server does not send the HTTP
"Strict-Transport-Security" header.

Solution
Configure the remote web server to use HSTS.

[HannesK]

Hello,
and welcome to the forums.

Well, there is no web server running on that port... so that setting does not exist. It's a Veeam proprietary protocol that is using certificates for internal authentication. I guess Tenable should update their signatures

Best regards,
Hannes

[dannyb1971]

Hi HannesK , Thank You for your reply , I will submit ticket and keep you update.

[carl.20150508]

Hi,

I'm testing now Veeam Backup & Replication 12 , Build 12.0.0.1420 P20230412 on Windows 2019. part of my security task , I ran the Tenable scanner and received the vulnerability issue on port 6172. any idea how to enforcing HSTS on port 6172.

From Tenable
Description
The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.

Output from most recent scan

The remote HTTPS server does not send the HTTP
"Strict-Transport-Security" header.

Solution
Configure the remote web server to use HSTS.

Do you fix the problem?