search

cloudfoundry / routing-release

This is the BOSH release for cloud foundry routers
Apache License 2.0
42 stars 106 forks source link

health endpoint ciphers could do with tightening up #400

Open thelangley opened 5 months ago

thelangley commented 5 months ago

Is this a security vulnerability?

Kinda. SHA1 shouldn't be used really

Issue

Relatively recently health endpoint has been secured so it's accessible over 443. Think a one liner bit of config / configurable could be created which could tighten security and make it pass a security scan.

Affected Versions

Any versions that have the healthz endpoint served over 443. We use v0.293.0

Context

Internal security have scanned and said that the data is being served over vulnerable ciphers

Traffic Diagram

Not applicable

Steps to Reproduce

nmap -sV --script ssl-enum-ciphers -p 443 tcp-router-address

Expected result

| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A

Current result

| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

Possible Fix

We could add a line to haproxy.conf.erb#L7C49-L8C1

ssl-default-bind-ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM

Additional Context

Could even make it configurable so that particular companies can harden according to their own best practices.

thelangley commented 5 months ago

like this? https://github.com/cloudfoundry/routing-release/compare/develop...thelangley:routing-release:issue-400-harden-healthcheck-endpoint-ciphers