Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sweet32 Attack on Kong webhook svc #1124

Open
abhilashbs1981 opened this issue Sep 2, 2024 · 0 comments
Open

Sweet32 Attack on Kong webhook svc #1124

abhilashbs1981 opened this issue Sep 2, 2024 · 0 comments

Comments

@abhilashbs1981
Copy link

abhilashbs1981 commented Sep 2, 2024
edited
Loading

While scanning the kong apigw webhook we are getting below issue .
we are using helm chart latest version of kong for deployment in Kubernetes cluster

The version we are using is 2.26.1 chart values , but even for latest version 2.41.9 same issue exist

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C** shouldnt support

nmap -sV --script ssl-enum-ciphers -p 443 kong-kong-validation-webhook.default.svc.cluster.local
Starting Nmap 7.92 ( https://nmap.org/ ) at 2024-08-31 19:11 UTC
Nmap scan report for kong-kong-validation-webhook.default.svc.cluster.local (10.105.189.123)
Host is up (0.000037s latency).

PORT    STATE SERVICE   VERSION
443/tcp open  ssl/https
| fingerprint-strings:
|   FourOhFourRequest, GetRequest, HTTPOptions:
|     HTTP/1.0 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     X-Content-Type-Options: nosniff
|     Date: Sat, 31 Aug 2024 19:12:06 GMT
|     Content-Length: 4
|   GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|_    Request
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
**|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C**
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.3:
|     ciphers:
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     cipher preference: server
|_  least strength: C

we have added below in helm chart also , but it is still not getting reflected while doing scanning , eventhough it is coming in the deployment file

  env:
    ssl_cipher_suite: "modern"
    ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
   
 OR
     
  env:
    ssl_cipher_suite: "custom"
    ssl_ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-CHACHA20-POLY1305"
    ssl_prefer_server_ciphers: "on"
    ssl_protocols: "TLSv1.2 TLSv1.3"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@abhilashbs1981