logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecure encryption algorithm - Anonymous cipher suites - Csharp

Need

Secure encryption algorithm for all connections

Context

  1. Usage of C# 7.0 for modern language features and enhancements
  2. Usage of Microsoft.Extensions.DependencyInjection for Dependency Injection in .NET applications
  3. Usage of Microsoft.AspNetCore.Authentication for implementing authentication in ASP.NET Core applications
  4. Usage of Microsoft.AspNetCore.Http for handling HTTP requests and responses in ASP.NET Core applications
  5. Usage of Microsoft.AspNetCore.HttpsPolicy for enforcing HTTPS security in ASP.NET Core applications
  6. Usage of Microsoft.AspNetCore.Mvc for building web applications using the ASP.NET Core MVC framework

Description

Insecure Code Example

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication()
        .AddScheme<AuthenticationSchemeOptions, CustomAuthenticationHandler>("CustomAuthentication", null);
        
    services.AddHttpsRedirection(options =>
    {
        options.RedirectStatusCode = StatusCodes.Status307TemporaryRedirect;
        options.HttpsPort = 5001;
    });
    
    services.AddMvc();
}

In the provided code, the application is configured to allow connections with anonymous cipher suites. The `ConfigureServices` method is used to add services to the application. Among these services, the `AddAuthentication` method is used to add and configure authentication services. The `AddScheme` method is used to add a custom authentication scheme, which could potentially allow connections with anonymous cipher suites if not properly configured. The `AddHttpsRedirection` method is used to configure HTTPS redirection, which redirects HTTP requests to HTTPS. However, this does not guarantee secure connections if the application accepts anonymous cipher suites. The `AddMvc` method is used to add MVC services to the application, which does not have a direct impact on the vulnerability but is part of the application configuration. The vulnerability lies in the fact that the application does not explicitly disable anonymous cipher suites. This could allow an attacker to establish a connection with an anonymous cipher suite, which does not authenticate the server and could lead to man-in-the-middle attacks.

Steps

  1. Disable support for anonymous cipher suites.
  2. Use a secure encryption algorithm for authentication and communication.
  3. Update the authentication configuration to use a secure authentication scheme.
  4. Ensure that HTTPS redirection is properly configured and enforced.
  5. Regularly update and patch the application and its dependencies to stay protected against new vulnerabilities.

Secure Code Example

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication()
        .AddScheme<AuthenticationSchemeOptions, CustomAuthenticationHandler>("CustomAuthentication", null);

    services.Configure<KestrelServerOptions>(options =>
    {
        options.ConfigureHttpsDefaults(co =>
        {
            co.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls13;
            co.OnAuthenticate = (context, sslOptions) =>
            {
                sslOptions.AllowRenegotiation = false;
                sslOptions.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
                sslOptions.CheckCertificateRevocation = true;
            };
        });
    });

    services.AddHttpsRedirection(options =>
    {
        options.RedirectStatusCode = StatusCodes.Status307TemporaryRedirect;
        options.HttpsPort = 5001;
    });

    services.AddMvc();
}

The updated code now configures the Kestrel server options to use secure encryption protocols (TLS 1.2 and TLS 1.3) and disables the renegotiation of SSL connections. It also requires client certificates for authentication and enables the revocation check of these certificates. This way, the application no longer allows connections with anonymous cipher suites, which are insecure. The `ConfigureHttpsDefaults` method is used to set the default HTTPS settings, which are applied to all endpoints. The `SslProtocols` property is set to `SslProtocols.Tls12 | SslProtocols.Tls13` to only allow these secure protocols. The `OnAuthenticate` action is used to further configure the SSL options. `AllowRenegotiation` is set to `false` to prevent renegotiation attacks. `ClientCertificateMode` is set to `RequireCertificate` to require a client certificate for authentication. `CheckCertificateRevocation` is set to `true` to enable the revocation check of client certificates. The HTTPS redirection is still properly configured and enforced, redirecting HTTP requests to HTTPS on port 5001 with a 307 Temporary Redirect status code. Remember to regularly update and patch the application and its dependencies to stay protected against new vulnerabilities.

References

  • 092 - Insecure encryption algorithm - Anonymous cipher suites

    • Last updated

    2023/09/18