Insecure encryption algorithm - SSL/TLS
Need
Implementation of secure encryption algorithms for SSL/TLS communication
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of azurerm for managing Azure resources and services
Description
Non compliant code
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_app_service" "example" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
site_config {
dotnet_framework_version = "v4.0"
scm_type = "LocalGit"
min_tls_version = "1.0"
}
}
The above Terraform code is used to create an Azure App Service. The vulnerability lies in the site_config block where the min_tls_version is set to "1.0".
TLS 1.0 is known to be insecure due to various known attacks (like POODLE and BEAST), and it is recommended to use a more secure version of the protocol. Using an insecure version of TLS can expose sensitive data to attackers and also make the system susceptible to man-in-the-middle attacks.
In this case, any data transmitted between the Azure App Service and clients could potentially be intercepted and read by an attacker. This is particularly concerning if the App Service is used to transmit sensitive data, such as personally identifiable information (PII), credit card numbers, or other confidential business data.
Steps
- Update the TLS protocol version to TLSv1.2 or TLSv1.3
- Modify the 'min_tls_version' property in the 'site_config' block of the 'azurerm_app_service' resource
- Remove or comment out the line 'min_tls_version = "1.0"'
- Save the changes and apply the Terraform configuration
Compliant code
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_app_service" "example" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
site_config {
dotnet_framework_version = "v4.0"
scm_type = "LocalGit"
min_tls_version = "1.2" // Updated from "1.0" to "1.2"
}
}
The original code was vulnerable due to the use of an insecure TLS protocol version (1.0). This version of the protocol is known to have several security issues and is not recommended for use.
The updated code fixes this vulnerability by changing the minimum TLS version to 1.2 in the azurerm_app_service resource. This is done by modifying the min_tls_version property in the site_config block. The value "1.0" was replaced with "1.2", which is a secure version of the protocol.
After making these changes, save the Terraform configuration file and apply it to update the infrastructure. This will ensure that the app service only uses secure versions of the TLS protocol, mitigating the risk of attacks that exploit vulnerabilities in older versions.