Friday, May 1, 2015

Production Support Incident 3: Disable SSlv3 Poddle Attack on Azure web role and worker Role

Poodle attack - SSLV3 Enabled

Tool to ---Test your website server is poodle free..poodle test?
https://www.ssllabs.com/ssltest/


Courtesy: http://en.wikipedia.org/wiki/POODLE

The POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryption") is a man-in-the-middle exploit which takes advantage of Internet and security software clients'

Website and server should be poodle free, its vulnerable if we have SSLV3 policy protocol is enabled. One can disabled SSLV3 through regedit whereas in cloud we have to disable using startup script in Service definitions.

1. Add .cmd batch file in startup script of Role profile folder.
2. Give path of start up script in servicedefination configuration under task tag.
3. Keep the powershell file in root of website or webrole.
4. Ensure ps1 file is copy to content always. Right click on powershell file in solution VS and check property to enable this options.


Importantly!
Even after deployment your SSL scan test lab shows you  C grade check for webseal or WAF (Web application firewall). In such case you may have to disable ssl in server that is acting as firewall. Check with your infrastructure team.

****Check any WAF environment. Web application Firewall behind which your azure web role may resides.


http://www.ideliverable.com/blog/making-iis-configuration-changes-in-a-web-role-startup-task
http://blogs.msdn.com/b/jimoneil/archive/2011/02/07/azure-startup-tasks-and-powershell-lessons-learned.aspx
http://www.dotnettwitter.com/2011/11/executing-powershell-script-with.html
http://stackoverflow.com/questions/15350936/running-powershell-from-azure-startup-task
http://stackoverflow.com/questions/28888768/adding-startup-script-to-azure-web-role-copy-to-output-directory-missing
http://www.troyhunt.com/2014/10/disabling-ssl-3-in-azure-websites-and.html
http://blogs.msdn.com/b/kaushal/archive/2014/10/22/poodle-vulnerability-padding-oracle-on-downgraded-legacy-encryption.aspx



 

Please engage the team who maintains these Linux box and follow document below to disable SSL3.

Web servers


Apache


Put the following line in your configuration file, or replace any existing line starting with SSLProtocol:

SSLProtocol All -SSLv2 -SSLv3

Then run: sudo apache2ctl configtest && sudo service apache2 restart.

Don't forget to test your website.

Nginx


Put the following line in your configuration file, or replace any existing line starting with ssl_protocols:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Then restart the server (in Ubuntu: sudo service nginx restart).

Don't forget to test your website.

Lighttpd


Lighttpd releases before 1.4.28 allow you to disable SSLv2 only.

If you are running at least 1.4.29, put the following lines in your configuration file:

ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"

Then restart the server (in Ubuntu: sudo service lighttpd restart).

Don't forget to test your website.
Post a Comment