Insecure Network Communication
Fixing Cleartext Transmission
About Cleartext Transmission
What is Cleartext Transmission?
Cleartext transmission, also known as plaintext transmission, refers to the process of transmitting data over a network or communication channel without encryption or other security measures that protect the data from interception or unauthorized access.
In cleartext transmission, the data is transmitted in plain, human-readable format, which means that anyone who has access to the communication channel can read, intercept, or modify the data without any difficulty.
Cleartext transmission can occur in various communication protocols, such as HTTP, FTP, SMTP, and Telnet, and can affect various types of data, such as login credentials, credit card information, personal data, and other types of sensitive information.
Check out these videos for a high-level explanation:
Communication over cleartext protocol
Unprotected transport of sensitive information
Unprotected transport of credentials
What is the impact of Cleartext Transmission?
Cleartext transmission can lead to various security threats and risks, such as:
- Information disclosure: Cleartext transmission can expose sensitive or confidential information to unauthorized parties, such as passwords, credit card numbers, personal data, or other types of sensitive information.
- Man-in-the-middle attacks: Cleartext transmission can be intercepted by attackers who can eavesdrop on the communication channel, modify or steal the data, or impersonate the parties involved in the communication.
- Identity theft: Cleartext transmission can lead to identity theft, where attackers can use stolen personal data to assume the identity of victims and perform various malicious activities, such as financial fraud or unauthorized access to systems.
- Data tampering: Cleartext transmission can allow attackers to modify or inject false data into the communication channel, leading to data tampering, data corruption, or other types of malicious activities.
How to prevent Cleartext Transmission?
To prevent cleartext transmission, you can take the following steps:
- Use encryption: Encrypt sensitive data before transmitting it over any communication channel. Use encryption protocols such as SSL/TLS or HTTPS to ensure that data is encrypted in transit.
- Secure communication channels: Use secure communication channels such as SFTP, SSH, or VPNs to transmit sensitive data. These protocols provide encryption and authentication, which can help prevent unauthorized access and eavesdropping.
- Disable cleartext protocols: Disable cleartext protocols such as HTTP or FTP, and use only encrypted protocols such as HTTPS or SFTP to transmit sensitive data.
- Implement data validation: Implement data validation mechanisms to ensure that only valid data is transmitted. Validate user input and filter out any sensitive data before transmitting it.
References
Taxonomies
Related CVEs
Training
Website Not Forcing HTTPS
'Microsoft.Web/sites' should force the use of HTTPS.
Rule-specific references:
Option A: Make sure only HTTP requests are accepted
Make sure the 'Microsoft.Web/sites' httpsOnly property is defined and set to true.
By doing so, only HTTPS requests will be accepted, HTTP requests will be redirected to HTTPS.
Locate one of the following vulnerable patterns:
Vulnerable
httpsOnlyisundefinedpattern:{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "webSite",
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"location": "location1",
"tags": {},
"properties": {
"enabled": true,
"No httpsOnly": "here"
},
"resources": []
}
],
"outputs": {}
}Vulnerable
httpsOnlyisfalsepattern:{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "webSite",
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"location": "location1",
"tags": {},
"properties": {
"enabled": true,
"httpsOnly": false
},
"resources": []
}
],
"outputs": {}
}Vulnerable
httpsOnlynested withinproperties.templateis undefined pattern:{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "webSite",
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"location": "location1",
"tags": {},
"properties": {
"enabled": true,
"No httpsOnly": "here"
},
"resources": []
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}Vulnerable
httpsOnlynested withinproperties.templateis false pattern:{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "webSite",
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"location": "location1",
"tags": {},
"properties": {
"enabled": true,
"httpsOnly": false
},
"resources": []
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}Modify the config to something like the following:
Replacement
httpsOnlyistruepattern:{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "webSite",
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"location": "location1",
"tags": {},
"properties": {
"enabled": true,
"httpsOnly": true
},
"resources": []
}
],
"outputs": {}
}Replacement
httpsOnlynested withinproperties.templateis true pattern:{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "webSite",
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"location": "location1",
"tags": {},
"properties": {
"enabled": true,
"httpsOnly": true
},
"resources": []
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}Test it
Ship it 🚢 and relax 🌴
Securing TLS configuration
About Insecure TLS Configuration
What is insecure TLS configuration?
Insecure TLS (Transport Layer Security) configuration refers to the use of weak or vulnerable cryptographic algorithms or protocols in the configuration of TLS on a system or application.
TLS is used to secure communication channels between clients and servers. Insecure TLS configuration can lead to a range of security vulnerabilities.
Check out these videos for a high-level explanation:
Weak Algorithms
Weak Cipher Suites
What is the impact of insecure TLS configuration?
Insecure TLS (Transport Layer Security) configuration can have significant impacts on the security and privacy of communication channels between clients and servers.
Here are some of the potential impacts:
- Man-in-the-middle (MITM) attacks: Weak or outdated cryptographic algorithms can be exploited by attackers to intercept and modify data in transit between a client and server. This can enable attackers to steal sensitive data or manipulate communication channels to launch other attacks.
- Information disclosure: Insecure TLS configuration can allow attackers to gain access to sensitive data, such as login credentials or personal information, transmitted between the client and server. This can lead to data breaches or compromise of sensitive information.
How to prevent insecure TLS configuration?
To prevent insecure TLS (Transport Layer Security) configuration, several measures can be taken, including:
- Use strong cryptographic algorithms and protocols: Use strong cryptographic algorithms and protocols, such as TLS 1.2 or higher, and disable outdated or weak algorithms, such as SSLv2 and SSLv3. This can help prevent attackers from exploiting vulnerabilities in the encryption and authentication processes.
- Use appropriate key sizes: Use appropriate key sizes to ensure that the cryptographic keys used in the TLS communication are strong enough to resist attacks. Key sizes of 2048 bits or higher are recommended.
- Regularly update software and systems: Regularly update software and systems to ensure that the latest security patches are applied and known vulnerabilities are addressed.
References
Taxonomies
Explanation & Prevention
- OWASP: Transport Layer Protection Cheat Sheet
- WASC-04: Insufficient Transport Layer Protection
- POODLE (CVE Details)
- BEAST (CVE Details)
- CRIME (CVE Details)
- FREAK (CVE Details)
- BREACH (CVE Details)
- LOGJAM (CVE Details)
Related CVEs
Training
Web App Not Using TLS Last Version
Resources of type Microsoft.Web/sites should define properties.siteConfig.minTlsVersion with 1.2 to ensure it's as hard as possible for attackers to take advantage of known SSL/TLS weaknesses in your application's traffic.
Rule-specific references:
Option A: Make sure the minimum version of TLS used is 1.2
If properties.siteConfig.minTlsVersion is undefined or not the last version, update it to the last version.
Locate one of the following vulnerable patterns:
Vulnerable
properties.siteConfig.minTlsVersionis not the last version pattern:{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"name": "App",
"location": "[resourceGroup().location]",
"properties": {
"siteConfig": {
"minTlsVersion": "1.0"
}
}
}
]
}Vulnerable
properties.siteConfig.minTlsVersionis undefined pattern:{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"name": "App",
"location": "[resourceGroup().location]",
"properties": {}
}
]
}Vulnerable
properties.siteConfig.minTlsVersionwithinproperties.templateis not the last version pattern:{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"name": "App",
"location": "[resourceGroup().location]",
"properties": {
"siteConfig": {
"minTlsVersion": "1.0"
}
}
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}Vulnerable
properties.siteConfig.minTlsVersionis undefined withinproperties.templatepattern:{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"name": "App",
"location": "[resourceGroup().location]",
"properties": {}
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}Modify the config to something like the following:
Replacement pattern:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"name": "App",
"location": "[resourceGroup().location]",
"properties": {
"siteConfig": {
"minTlsVersion": "1.2"
}
}
}
]
}Replacement nested within
properties.templatepattern:{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"name": "App",
"location": "[resourceGroup().location]",
"properties": {
"siteConfig": {
"minTlsVersion": "1.2"
}
}
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}Test it
Ship it 🚢 and relax 🌴