logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecure encryption algorithm - SSL/TLS - Azure

Need

Implementation of secure encryption algorithms for SSL/TLS communication

Context

  1. Usage of Terraform for Infrastructure as Code (IaC)
  2. Usage of azurerm for managing Azure resources and services

Description

Insecure Code Example

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_app_service" "example" {
  name                = "example-app-service"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  site_config {
    dotnet_framework_version = "v4.0"
    scm_type                 = "LocalGit"
    min_tls_version          = "1.0"
  }
}

The above Terraform code is used to create an Azure App Service. The vulnerability lies in the `site_config` block where the `min_tls_version` is set to "1.0". TLS 1.0 is known to be insecure due to various known attacks (like POODLE and BEAST), and it is recommended to use a more secure version of the protocol. Using an insecure version of TLS can expose sensitive data to attackers and also make the system susceptible to man-in-the-middle attacks. In this case, any data transmitted between the Azure App Service and clients could potentially be intercepted and read by an attacker. This is particularly concerning if the App Service is used to transmit sensitive data, such as personally identifiable information (PII), credit card numbers, or other confidential business data.

Steps

  1. Update the TLS protocol version to TLSv1.2 or TLSv1.3
  2. Modify the 'min_tls_version' property in the 'site_config' block of the 'azurerm_app_service' resource
  3. Remove or comment out the line 'min_tls_version = "1.0"'
  4. Save the changes and apply the Terraform configuration

Secure Code Example

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_app_service" "example" {
  name                = "example-app-service"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  site_config {
    dotnet_framework_version = "v4.0"
    scm_type                 = "LocalGit"
    min_tls_version          = "1.2" // Updated from "1.0" to "1.2"
  }
}

The original code was vulnerable due to the use of an insecure TLS protocol version (1.0). This version of the protocol is known to have several security issues and is not recommended for use. The updated code fixes this vulnerability by changing the minimum TLS version to 1.2 in the `azurerm_app_service` resource. This is done by modifying the `min_tls_version` property in the `site_config` block. The value "1.0" was replaced with "1.2", which is a secure version of the protocol. After making these changes, save the Terraform configuration file and apply it to update the infrastructure. This will ensure that the app service only uses secure versions of the TLS protocol, mitigating the risk of attacks that exploit vulnerabilities in older versions.

References

  • 016 - Insecure encryption algorithm - SSL/TLS

    • Last updated

    2023/09/18