Insecure encryption algorithm - Anonymous cipher suites
Need
Secure encryption algorithm for all connections
Context
- Usage of C# 7.0 for modern language features and enhancements
- Usage of Microsoft.Extensions.DependencyInjection for Dependency Injection in .NET applications
- Usage of Microsoft.AspNetCore.Authentication for implementing authentication in ASP.NET Core applications
- Usage of Microsoft.AspNetCore.Http for handling HTTP requests and responses in ASP.NET Core applications
- Usage of Microsoft.AspNetCore.HttpsPolicy for enforcing HTTPS security in ASP.NET Core applications
- Usage of Microsoft.AspNetCore.Mvc for building web applications using the ASP.NET Core MVC framework
Description
Non compliant code
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication()
.AddScheme<AuthenticationSchemeOptions, CustomAuthenticationHandler>("CustomAuthentication", null);
services.AddHttpsRedirection(options =>
{
options.RedirectStatusCode = StatusCodes.Status307TemporaryRedirect;
options.HttpsPort = 5001;
});
services.AddMvc();
}
In the provided code, the application is configured to allow connections with anonymous cipher suites.
The ConfigureServices method is used to add services to the application. Among these services, the AddAuthentication method is used to add and configure authentication services. The AddScheme method is used to add a custom authentication scheme, which could potentially allow connections with anonymous cipher suites if not properly configured.
The AddHttpsRedirection method is used to configure HTTPS redirection, which redirects HTTP requests to HTTPS. However, this does not guarantee secure connections if the application accepts anonymous cipher suites.
The AddMvc method is used to add MVC services to the application, which does not have a direct impact on the vulnerability but is part of the application configuration.
The vulnerability lies in the fact that the application does not explicitly disable anonymous cipher suites. This could allow an attacker to establish a connection with an anonymous cipher suite, which does not authenticate the server and could lead to man-in-the-middle attacks.
Steps
- Disable support for anonymous cipher suites.
- Use a secure encryption algorithm for authentication and communication.
- Update the authentication configuration to use a secure authentication scheme.
- Ensure that HTTPS redirection is properly configured and enforced.
- Regularly update and patch the application and its dependencies to stay protected against new vulnerabilities.
Compliant code
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication()
.AddScheme<AuthenticationSchemeOptions, CustomAuthenticationHandler>("CustomAuthentication", null);
services.Configure<KestrelServerOptions>(options =>
{
options.ConfigureHttpsDefaults(co =>
{
co.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls13;
co.OnAuthenticate = (context, sslOptions) =>
{
sslOptions.AllowRenegotiation = false;
sslOptions.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
sslOptions.CheckCertificateRevocation = true;
};
});
});
services.AddHttpsRedirection(options =>
{
options.RedirectStatusCode = StatusCodes.Status307TemporaryRedirect;
options.HttpsPort = 5001;
});
services.AddMvc();
}
The updated code now configures the Kestrel server options to use secure encryption protocols (TLS 1.2 and TLS 1.3) and disables the renegotiation of SSL connections. It also requires client certificates for authentication and enables the revocation check of these certificates. This way, the application no longer allows connections with anonymous cipher suites, which are insecure.
The ConfigureHttpsDefaults method is used to set the default HTTPS settings, which are applied to all endpoints. The SslProtocols property is set to SslProtocols.Tls12 | SslProtocols.Tls13 to only allow these secure protocols. The OnAuthenticate action is used to further configure the SSL options. AllowRenegotiation is set to false to prevent renegotiation attacks. ClientCertificateMode is set to RequireCertificate to require a client certificate for authentication. CheckCertificateRevocation is set to true to enable the revocation check of client certificates.
The HTTPS redirection is still properly configured and enforced, redirecting HTTP requests to HTTPS on port 5001 with a 307 Temporary Redirect status code.
Remember to regularly update and patch the application and its dependencies to stay protected against new vulnerabilities.