Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
242 questions
Is there any plan to move away from CBC based ciphers within TLS cipher suites in Azure Bastion?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 92%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Sas P
0
Reputation points
We have had a report from a security pen test vendor stating that weak CBC based ciphers are still in use by the Azure Bastion service and ideally these should be disabled. Viable alternatives include AES-GCM and ChaCha20-Poly1305 suites. I read in a Microsoft article that in future the customer will be able to configure the minimum TLS Cipher suite to be used on the Azure service. https://techcommunity.microsoft.com/t5/apps-on-azure-blog/min-tls-cipher-suite-preview-now-available-on-azure-portal-and/ba-p/3804134 Is Azure Bastion on any roadmap to have the same configurable setting? Or is there any plan to disable the future use of these ciphers in relation to Azure Bastion? Thank you
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 23,031 Reputation points Microsoft Employee2024-01-27T02:40:19.2666667+00:00 @Sas P
Thank you for reaching out. I have reached out to the team internally regarding this issue and will make an update here as soon as I get a response. Thank you! -
Sas P 0 Reputation points
2024-02-23T17:55:39.7866667+00:00 Hi Anyone know if there has been any responses to this query? I came across the following article that CBC Suites are still in use in Microsoft Azure architecture although doesnt say why its still use in Azure. https://techcommunity.microsoft.com/t5/security-compliance-and-identity/support-for-legacy-tls-protocols-and-cipher-suites-in-azure/ba-p/3952099 The vulnerability identified in this suite is presented as follows: In 2013, researchers demonstrated a timing attack against several TLS implementations using the CBC encryption algorithm (see isg.rhul.ac.uk). Additionally, the CBC mode is vulnerable to plain-text attacks in TLS 1.0, SSL 3.0 and lower. A fix has been introduced with TLS 1.2 in form of the GCM mode which is not vulnerable to the BEAST attack. GCM should be preferred over CBC. https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256/
Sign in to comment