logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecure encryption algorithm - SSL/TLS - Cloudformation

Need

Implementation of secure encryption algorithms and disabling insecure TLS protocol versions.

Context

  1. Usage of AWS CloudFormation for Infrastructure as Code (IaC)
  2. Usage of AWS::ElasticLoadBalancingV2::Listener for managing load balancer listeners in AWS
  3. Usage of AWS::ElasticLoadBalancingV2::TargetGroup for managing target groups in AWS Load Balancer

Description

Insecure Code Example

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  ExampleListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      LoadBalancerArn: !Ref ExampleLoadBalancer
      Port: 443
      Protocol: HTTPS
      SslPolicy: ELBSecurityPolicy-2015-05
      DefaultActions:
        - Type: forward
          TargetGroupArn: !Ref ExampleTargetGroup

In the above CloudFormation template, we define a load balancer listener for an AWS Application Load Balancer. The listener is configured to listen on port 443 (HTTPS) and uses the `ELBSecurityPolicy-2015-05` SSL policy. The vulnerability lies in the `SslPolicy` that is being used. The `ELBSecurityPolicy-2015-05` policy allows the usage of insecure TLS protocol versions, including TLS 1.0 and 1.1. These versions of the TLS protocol are known to be insecure and susceptible to various attacks, such as BEAST, CRIME, and POODLE. This means that the data being transmitted between the client and the server could potentially be intercepted and decrypted by an attacker. This could lead to sensitive information being exposed, such as user credentials, credit card numbers, or other personal data. To fix this vulnerability, the `SslPolicy` should be updated to use a more secure policy, such as `ELBSecurityPolicy-TLS-1-2-2017-01`, which only allows the usage of the secure TLS 1.2 protocol version.

Steps

  1. Update the SSL/TLS protocol version to TLSv1.2 or TLSv1.3
  2. Ensure that the SSL/TLS configuration is using secure encryption algorithms
  3. Consider using a more secure SSL/TLS policy

Secure Code Example

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  ExampleListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      LoadBalancerArn: !Ref ExampleLoadBalancer
      Port: 443
      Protocol: HTTPS
      SslPolicy: ELBSecurityPolicy-TLS-1-2-2017-01
      DefaultActions:
        - Type: forward
          TargetGroupArn: !Ref ExampleTargetGroup

The above code is a fixed version of the vulnerable code. The vulnerability was that the server allowed the usage of insecure TLS protocol versions. This is a serious security issue as it can allow attackers to exploit the weak encryption and potentially gain unauthorized access to sensitive data. The fix involves changing the `SslPolicy` from `ELBSecurityPolicy-2015-05` to `ELBSecurityPolicy-TLS-1-2-2017-01`. This change ensures that the server is now using a secure version of the TLS protocol, specifically TLSv1.2, which is currently considered secure. The `ELBSecurityPolicy-TLS-1-2-2017-01` policy is a predefined policy by AWS which includes the secure TLSv1.2 protocol along with secure cipher suites. This policy will help protect the server from attacks that target weak protocols and ciphers. Remember, it's important to regularly review and update your security configurations, as what is considered secure evolves over time.

References

  • 016 - Insecure encryption algorithm - SSL/TLS

    • Last updated

    2025/04/02