SSL Medium Strength Cipher Suites Supported (SWEET32)

Created At: Updated At:

SSL Medium Strength Cipher Suites Supported (SWEET32)

我有一台 Ubuntu 安裝 microk8s 被若掃到,掃到的弱點是 SSL Medium Strength Cipher Suites Supported (SWEET32)。紀錄一下處理方式,其中我比較少用 nmap,所以才現 nmap 可以這樣檢查。另外 microk8s 相關服務,以前也很少改動的經驗,

驗證弱點

可以根據弱掃報告提供的資料看來是

  • 16443 API server
  • 25000 cluster-agent
  • 10257 kube-controller
  • 10259 kube-scheduler

這些服務有問題。

可以用 nmap 重新確認:

$ nmap --script ssl-enum-ciphers -p 16443 127.0.0.1
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-24 07:13 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00021s latency).

PORT      STATE SERVICE
16443/tcp open  unknown
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.3: 
|     ciphers: 
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     cipher preference: server
|_  least strength: C

Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds

warning 是 64-bit block cipher 3DES vulnerable to SWEET32 ,查詢相關資料之後確認是需要 disable TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

作法

microk8s 的 issue 有相關作法:

需要修改相關檔案

  • /var/snap/microk8s/current/args/kube-apiserver
  • /var/snap/microk8s/current/args/kube-scheduler
  • /var/snap/microk8s/current/args/kube-controller-manager
  • /var/snap/microk8s/current/args/cluster-agent

/var/snap/microk8s/current/args/kube-apiserver

/var/snap/microk8s/current/args/kube-scheduler

/var/snap/microk8s/current/args/kube-controller-manager

找到 tls-cipher-suites 那一行,根據需要自己增刪修改,
我這邊有問題的是 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,所以我只要刪除掉就好。
所以我目前修改後的設定像這樣:

--tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384

/var/snap/microk8s/current/args/cluster-agent

只要加上

--min-tls-version=tls13

重新驗證

通通好之後跑 microk8s stop and microk8s start
之後用nmap檢查!

$ nmap --script ssl-enum-ciphers -p 16443 127.0.0.1
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-24 07:27 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00018s latency).

PORT      STATE SERVICE
16443/tcp open  unknown
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.3: 
|     ciphers: 
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds

已經沒有warning!

Reference:

https://microk8s.io/docs/services-and-ports
https://github.com/canonical/microk8s/issues/1419
https://www.reddit.com/r/sysadmin/comments/1f1p7ip/ssl_medium_strength_cipher_suites_supported/
https://help.defense.com/en/articles/6302810-ssl-medium-strength-cipher-suite-supported-sweet32-windows
https://shantanudeyanik.medium.com/configure-kubernetes-with-strong-cipher-suites-0053ca0accba