Hi,
We have started using a Azure Web App service for one of the Nodejs app on windows with code.
Our security team has run a penetration testing , using Qualys. The report flagged the Web App to be vulnerable for - TLS Protocol Session Renegotiation Security Vulnerability. Here is the snippet of the report.
How should we fix/explain this on Web app service?
Threat
Transport Layer Security (TLS) is a cryptographic protocol that provides security for communications over networks at the Transport Layer.
TLS protocol is prone to a security vulnerability that allows for man-in-the-middle attacks. Note that this issue does not allow attackers to decrypt encrypted data
Specifically, the issue exists in a way applications handle the session renegotiation process and may allow attackers to inject arbitrary plaintext into the beginning
of application protocol stream. The attack has been confirmed to work with HTTP as the application protocol but it is believed to be also possible with other
protocols that are layered on TLS.
Impact
In case of the HTTP protocol used with the vulnerable TLS implementation, this attack is carried out by intercepting 'Client Hello' requests and then forcing
session renegotiation. An unauthorized attacker can then cause the webserver to process arbitrary requests that would otherwise require valid client side
certificate for authorization. Please note that the attacker will not be able to gain direct access to the server response.
A proof of concept attacks have been demonstrated where the user credentials were extracted using this vulnerability.
Mitigating factors: To successfully exploit this vulnerability a full man-in-the-middle control of the TCP connection is required. The attacker needs to accept the
TCP connection from the client and establish a new connection to the server.
Solution
For Microsoft Windows, refer to MS10-049 for further information.
For Cisco products refer to Document ID:1454786328728104 for further information.
Disable renegotiation completely.
Workaround:
OpenSSL has provided a version (0.9.8l) that has a workaround. Please refer to OpenSSL Change Log (Changes between 0.9.8k and 0.9.8l Section) to obtain
additional details.
Microsoft has provided the following workaround:
- Enable SSLAlwaysNegoClientCert on IIS 6 and above: Web servers running IIS 6 and later that are affected because they require mutual authentication by
requesting a client certificate, can be hardened by enabling the SSLAlwaysNegoClientCert setting. This will cause IIS to prompt the client for a certificate upon the
initial connection, and does not require a server-initiated renegotiation.