Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecated TLS version usage in cockpit web service #21474

Open
okcrum opened this issue Dec 29, 2024 · 0 comments
Open

Deprecated TLS version usage in cockpit web service #21474

okcrum opened this issue Dec 29, 2024 · 0 comments
Labels
bug

Comments

@okcrum
Copy link

okcrum commented Dec 29, 2024
edited
Loading

Explain what happens

When penetration testing my local network with Greenbone OpenVAS, I found TLS 1.0 and 1.1 enabled, both of which are known to be cryptographically vulnerable. This is against the web service at port 9090 of the cockpit server. Report from the scan is below. A workaround is to use a proxy in front of cockpit which supports TLS1.2+ only.

Summary
It was possible to detect the usage of the deprecated TLSv1.0
and/or TLSv1.1 protocol on this system.
Detection Result

In addition to TLSv1.2+ the service is also providing the deprecated TLSv1.0 and TLSv1.1 protocols and supports one or more ciphers. Those supported ciphers can be found in the 'SSL/TLS: Report Supported Cipher Suites' (OID: 1.3.6.1.4.1.25623.1.0.802067) VT.

Product Detection Result
Product

cpe:/a:ietf:transport_layer_security:1.0
Method

SSL/TLS: Version Detection (OID: 1.3.6.1.4.1.25623.1.0.105782)

Insight
The TLSv1.0 and TLSv1.1 protocols contain known cryptographic
flaws like:

  • CVE-2011-3389: Browser Exploit Against SSL/TLS (BEAST)

  • CVE-2015-0204: Factoring Attack on RSA-EXPORT Keys Padding Oracle On Downgraded Legacy
    Encryption (FREAK)
    Detection Method
    Check the used TLS protocols of the services provided by this
    system.
    Details:

SSL/TLS: Deprecated TLSv1.0 and TLSv1.1 Protocol Detection OID: 1.3.6.1.4.1.25623.1.0.117274
Version used:

2024-09-26T22:05:23-07:00
Affected Software/OS
All services providing an encrypted communication using the
TLSv1.0 and/or TLSv1.1 protocols.
Impact
An attacker might be able to use the known cryptographic flaws
to eavesdrop the connection between clients and the service to get access to sensitive data
transferred within the secured connection.

Furthermore newly uncovered vulnerabilities in this protocols won't receive security updates
anymore.
Solution
Solution Type:
Mitigation
It is recommended to disable the deprecated TLSv1.0 and/or
TLSv1.1 protocols in favor of the TLSv1.2+ protocols. Please see the references for more
information.
References
CVE

CVE-2011-3389
CVE-2015-0204
CERT

DFN-CERT-2020-0177
DFN-CERT-2020-0111
DFN-CERT-2019-0068
DFN-CERT-2018-1441
DFN-CERT-2018-1408
DFN-CERT-2016-1372
DFN-CERT-2016-1164
DFN-CERT-2016-0388
DFN-CERT-2015-1853
DFN-CERT-2015-1332
DFN-CERT-2015-0884
DFN-CERT-2015-0800
DFN-CERT-2015-0758
DFN-CERT-2015-0567
DFN-CERT-2015-0544
DFN-CERT-2015-0530
DFN-CERT-2015-0396
DFN-CERT-2015-0375
DFN-CERT-2015-0374
DFN-CERT-2015-0305
DFN-CERT-2015-0199
DFN-CERT-2015-0079
DFN-CERT-2015-0021
DFN-CERT-2014-1414
DFN-CERT-2013-1847
DFN-CERT-2013-1792
DFN-CERT-2012-1979
DFN-CERT-2012-1829
DFN-CERT-2012-1530
DFN-CERT-2012-1380
DFN-CERT-2012-1377
DFN-CERT-2012-1292
DFN-CERT-2012-1214
DFN-CERT-2012-1213
DFN-CERT-2012-1180
DFN-CERT-2012-1156
DFN-CERT-2012-1155
DFN-CERT-2012-1039
DFN-CERT-2012-0956
DFN-CERT-2012-0908
DFN-CERT-2012-0868
DFN-CERT-2012-0867
DFN-CERT-2012-0848
DFN-CERT-2012-0838
DFN-CERT-2012-0776
DFN-CERT-2012-0722
DFN-CERT-2012-0638
DFN-CERT-2012-0627
DFN-CERT-2012-0451
DFN-CERT-2012-0418
DFN-CERT-2012-0354
DFN-CERT-2012-0234
DFN-CERT-2012-0221
DFN-CERT-2012-0177
DFN-CERT-2012-0170
DFN-CERT-2012-0146
DFN-CERT-2012-0142
DFN-CERT-2012-0126
DFN-CERT-2012-0123
DFN-CERT-2012-0095
DFN-CERT-2012-0051
DFN-CERT-2012-0047
DFN-CERT-2012-0021
DFN-CERT-2011-1953
DFN-CERT-2011-1946
DFN-CERT-2011-1844
DFN-CERT-2011-1826
DFN-CERT-2011-1774
DFN-CERT-2011-1743
DFN-CERT-2011-1738
DFN-CERT-2011-1706
DFN-CERT-2011-1628
DFN-CERT-2011-1627
DFN-CERT-2011-1619
DFN-CERT-2011-1482
WID-SEC-2023-1435
CB-K18/0799
CB-K16/1289
CB-K16/1096
CB-K15/1751
CB-K15/1266
CB-K15/0850
CB-K15/0764
CB-K15/0720
CB-K15/0548
CB-K15/0526
CB-K15/0509
CB-K15/0493
CB-K15/0384
CB-K15/0365
CB-K15/0364
CB-K15/0302
CB-K15/0192
CB-K15/0079
CB-K15/0016
CB-K14/1342
CB-K14/0231
CB-K13/0845
CB-K13/0796
CB-K13/0790
Other

https://ssl-config.mozilla.org/
https://bettercrypto.org/
https://datatracker.ietf.org/doc/rfc8996/
https://vnhacker.blogspot.com/2011/09/beast.html
https://web.archive.org/web/20201108095603/
https://censys.io/blog/freak
https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014

Version of Cockpit

287.1-0+deb12u3

Where is the problem in Cockpit?

Networking/Services

Server operating system

Debian

Server operating system version

12 (bookworm)

What browsers are you using?

Firefox

System log

No response
@okcrum okcrum added the bug label Dec 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@okcrum