Skip to main content

Insecure encryption algorithm - SSL/TLS

Description

The server allows the usage of insecure TLS protocol versions.

Impact

Compromise sensitive information that travels between client and server.

Recommendation

Update TLS protocol to version TLSv1.2 or TLSv1.3 if possible.

Threat

Unauthorized attacker from adjacent network.

Expected Remediation Time

⌚ 100 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: A
  • Attack complexity: H
  • Privileges required: N
  • User interaction: R
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: R

Result

  • Vector string: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:R
  • Score:
    • Base: 2.6
    • Temporal: 2.3
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

Implement a secure TLS protocol version in the resources

resource "azurerm_storage_account" "secure_example" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
min_tls_version = "TLS1_3"

tags = {
environment = "staging"
}
}

Non compliant code

Examples with insecure TLS protocol configuration on resources

Using IaC on terraform and other options

resource "azurerm_storage_account" "insecure_example" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
min_tls_version = "TLS1_0"

tags = {
environment = "staging"
}
}
Resources:
distribution1:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Enabled: 'true'
DefaultCacheBehavior:
TargetOriginId: def1
ForwardedValues:
QueryString: 'false'
Cookies:
Forward: all
Origins:
- CustomOriginConfig:
OriginSSLProtocols:
- SSLv3
- TLSv1
- TLSv1.1
- TLSv1.2

Using the AWS CLI with the following comands

$ aws cloudfront get-distribution --id {distribution_id}
--query 'Distribution.DistributionConfig.Origins.Items[*].CustomOriginConfig'

The configuration metadata is obtained. An insecure configuration would show the following code:

[
{
"OriginProtocolPolicy": "https-only",
"HTTPPort": 80,
"OriginSslProtocols": {
"Items": [
"SSLv3",
"TLSv1",
"TLSv1.1",
"TLSv1.2"
],
"Quantity": 4
},
"HTTPSPort": 443
}
]

Examples on source code

Using method to generate a Shared Access Signature (SAS) with specifying protocols as HttpsOrHttp

using System;
using Microsoft.WindowsAzure.Storage;
using Microsoft.WindowsAzure.Storage.File;

class ExampleClass{
public void ExampleMethod(SharedAccessFilePolicy policy, SharedAccessFileHeaders headers, string groupPolicyIdentifier, IPAddressOrRange ipAddressOrRange){
CloudFile cloudFile = new CloudFile(null);
SharedAccessProtocol protocols = SharedAccessProtocol.HttpsOrHttp;
cloudFile.GetSharedAccessSignature(policy, headers, groupPolicyIdentifier, protocols, ipAddressOrRange);
}
}

Example with service point manager disabled

using System;
public class ExampleClass{
public void ExampleMethod(){
AppContext.SetSwitch("Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols", true);
}
}

Example using http client without revocation list

using System.Net.Http;
class ExampleClass{
void ExampleMethod(){
WinHttpHandler winHttpHandler = new WinHttpHandler();
winHttpHandler.CheckCertificateRevocationList = false;
HttpClient httpClient = new HttpClient(winHttpHandler);
}
}

Example using weak security protocols

using System;
namespace Example{
public class InvokeService{
public InvokeService(){
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
}
}
}

Details

SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security), are protocols for establishing authenticated and encrypted links between networked computers.

The most common and well-known use of SSL/TLS is secure web browsing via the HTTPS protocol. Users visiting an HTTPS website can be assured of:

  • Authenticity, The server presenting the certificate is in possession of the private key that matches the public key in the certificate.

  • Integrity, Documents signed by the certificate (e.g. web pages) have not been altered in transit by a man in the middle.

  • Encryption, Communications between the client and server are encrypted.

Because of these properties, SSL/TLS and HTTPS allow users to securely transmit confidential information such as credit card numbers, social security numbers, and login credentials over the internet, and be sure that the website they are sending them to is authentic.

With an insecure HTTP website, these data are sent as plain text, readily available to any eavesdropper with access to the data stream. Furthermore, users of these unprotected websites have no trusted third-party assurance that the website they are visiting is what it claims to be.

Requirements