turbot/net_insights

Control: SSL/TLS servers should avoid using CBC cipher suites

Description

Cipher block chaining (CBC) is a mode of operation for a block cipher in which a sequence of bits are encrypted as a single unit, or block, with a cipher key applied to the entire block. The problem with CBC mode is that the decryption of blocks is dependent on the previous ciphertext block, which means attackers can manipulate the decryption of a block by tampering with the previous block using the commutative property of XOR. If the server uses TLS 1.2 or TLS 1.1, or TLS 1.0 with CBC cipher modes, there is a chance that the server gets vulnerable to Zombie POODLE, GOLDENDOODLE, 0-Length OpenSSL and Sleeping POODLE.

Usage

Run the control in your terminal:

powerpipe control run net_insights.control.ssl_avoid_using_cbc_cipher_suite

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run net_insights.control.ssl_avoid_using_cbc_cipher_suite --share

Steampipe Tables

Params

ArgsNameDefaultDescriptionVariable
$1domain_names
["github.com","microsoft.com"]
DNS domain names.

SQL

with domain_list as (
select domain, concat(domain, ':443') as address from jsonb_array_elements_text(to_jsonb($1::text[])) as domain
),
check_cbc_cipher as (
select
address,
count(*)
from
net_tls_connection
where
address in (select address from domain_list)
and version in ('TLS v1.2', 'TLS v1.1', 'TLS v1.0')
and cipher_suite_name in ('TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256')
and handshake_completed
group by address
)
select
d.domain as resource,
case
when i.address is null or i.count < 1 then 'ok'
else 'alarm'
end as status,
case
when i.address is null or i.count < 1 then d.domain || ' does not use CBC cipher suites.'
else d.domain || ' uses CBC cipher suites.'
end as reason
from
domain_list as d
left join check_cbc_cipher as i on d.address = i.address;