Insecure encryption algorithm - SSL/TLS - Aws

Insecure encryption algorithm - SSL/TLS - Aws

Need

Implementation of secure encryption algorithms and disabling insecure TLS protocol versions.

Context

  • Usage of Terraform for Infrastructure as Code (IaC)
  • Usage of aws_lb for managing load balancers in AWS
  • Usage of aws_lb_target_group for managing target groups in AWS Load Balancer

Description

Non compliant code

        resource "aws_lb_listener" "example" {
  load_balancer_arn = aws_lb.example.arn
  port              = "443"
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-2015-05"

  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.example.arn
  }
}
        
        

In the above Terraform code, we define a load balancer listener for an AWS application load balancer. The listener is configured to listen on port 443 (HTTPS) and uses the ELBSecurityPolicy-2015-05 SSL policy.

The vulnerability lies in the ssl_policy that is being used. The ELBSecurityPolicy-2015-05 policy allows the usage of insecure TLS protocol versions, including TLS 1.0 and 1.1. These versions of the TLS protocol are known to be insecure and susceptible to various attacks, such as BEAST, CRIME, and POODLE.

This means that the data being transmitted between the client and the server could potentially be intercepted and decrypted by an attacker. This could lead to sensitive information being exposed, such as user credentials, credit card numbers, or other personal data.

To fix this vulnerability, the ssl_policy should be updated to use a more secure policy, such as ELBSecurityPolicy-TLS-1-2-2017-01, which only allows the usage of the secure TLS 1.2 protocol version.

Steps

  • Update the SSL/TLS protocol version to TLSv1.2 or TLSv1.3
  • Ensure that the SSL/TLS configuration is using secure encryption algorithms
  • Consider using a more secure SSL/TLS policy

Compliant code

        resource "aws_lb_listener" "example" {
  load_balancer_arn = aws_lb.example.arn
  port              = "443"
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"

  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.example.arn
  }
}
        
        

The above code is a fixed version of the vulnerable code. The vulnerability was that the server allowed the usage of insecure TLS protocol versions. This is a serious security issue as it can allow attackers to exploit the weak encryption and potentially gain unauthorized access to sensitive data.

The fix involves changing the ssl_policy from ELBSecurityPolicy-2015-05 to ELBSecurityPolicy-TLS-1-2-2017-01. This change ensures that the server is now using a secure version of the TLS protocol, specifically TLSv1.2, which is currently considered secure.

The ELBSecurityPolicy-TLS-1-2-2017-01 policy is a predefined policy by AWS which includes the secure TLSv1.2 protocol along with secure cipher suites. This policy will help protect the server from attacks that target weak protocols and ciphers.

Remember, it's important to regularly review and update your security configurations, as what is considered secure evolves over time.

References