problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions2.disallow-old-tls-versions2

profile photo of returntocorpreturntocorp
Author
2,021
Download Count*

Detects creations of $HTTPS servers from option objects that don't disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.

Run Locally

Run in CI

Defintion

rules:
  - id: disallow-old-tls-versions2
    message: Detects creations of $HTTPS servers from option objects that don't
      disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to
      POODLE, man in the middle attacks, and other vulnerabilities.
    severity: WARNING
    metadata:
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      category: security
      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
      owasp: A03:2017 - Sensitive Data Exposure
      references:
        - https://us-cert.cisa.gov/ncas/alerts/TA14-290A
        - https://stackoverflow.com/questions/40434934/how-to-disable-the-ssl-3-0-and-tls-1-0-in-nodejs
        - https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener
      subcategory:
        - vuln
      technology:
        - node.js
      vulnerability: Insecure Transport
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - javascript
      - typescript
    patterns:
      - pattern-either:
          - pattern-inside: |
              $CONST = require('crypto');
              ...
          - pattern-inside: |
              $CONST = require('constants');
              ...
      - pattern-inside: |
          $HTTPS = require('https');
          ...
      - pattern: |
          $OPTIONS = {};
          ...
          $HTTPS.createServer($OPTIONS, ...);
      - pattern-not: >
          $OPTIONS = {secureOptions: $CONST.SSL_OP_NO_TLSv1 |
          $CONST.SSL_OP_NO_SSLv3 | $CONST.SSL_OP_NO_SSLv2};

          ...

          $HTTPS.createServer($OPTIONS, ...);
      - pattern-not: >
          $OPTIONS = {secureOptions: $CONST.SSL_OP_NO_TLSv1 |
          $CONST.SSL_OP_NO_SSLv2 | $CONST.SSL_OP_NO_SSLv3};

          ...

          $HTTPS.createServer($OPTIONS, ...);
      - pattern-not: >
          $OPTIONS = {secureOptions: $CONST.SSL_OP_NO_SSLv2  |
          $CONST.SSL_OP_NO_TLSv1 | $CONST.SSL_OP_NO_SSLv3};

          ...

          $HTTPS.createServer($OPTIONS, ...);
      - pattern-not: >
          $OPTIONS = {secureOptions: $CONST.SSL_OP_NO_SSLv2 |
          $CONST.SSL_OP_NO_SSLv3 | $CONST.SSL_OP_NO_TLSv1};

          ...

          $HTTPS.createServer($OPTIONS, ...);
      - pattern-not: >
          $OPTIONS = {secureOptions: $CONST.SSL_OP_NO_SSLv3 |
          $CONST.SSL_OP_NO_SSLv2 | $CONST.SSL_OP_NO_TLSv1};

          ...

          $HTTPS.createServer($OPTIONS, ...);
      - pattern-not: >
          $OPTIONS = {secureOptions: $CONST.SSL_OP_NO_SSLv3 |
          $CONST.SSL_OP_NO_TLSv1 | $CONST.SSL_OP_NO_SSLv2};

          ...

          $HTTPS.createServer($OPTIONS, ...);

Examples

disallow-old-tls-versions2.js

const https = require('https');

function ok1() {
    var constants = require('crypto');
    // ok: disallow-old-tls-versions2
    var sslOptions = {
    key: fs.readFileSync('/etc/ssl/private/private.key'),
    secureProtocol: 'SSLv23_server_method',
    secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_SSLv3
    };
    https.createServer(sslOptions);
}

function ok2() {
    var constants = require('crypto');
    // ok: disallow-old-tls-versions2
    var sslOptions = {
    key: fs.readFileSync('/etc/ssl/private/private.key'),
    secureProtocol: 'SSLv23_server_method',
    secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_TLSv1
    };
    https.createServer(sslOptions);
}

function ok3() {
    var constants = require('crypto');
    // ok: disallow-old-tls-versions2
    var sslOptions = {
    key: fs.readFileSync('/etc/ssl/private/private.key'),
    secureProtocol: 'SSLv23_server_method',
    secureOptions: constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3
    };
    https.createServer(sslOptions);
}

function ok4() {
    var constants = require('constants');
    // ok: disallow-old-tls-versions2
    var sslOptions = {
    key: fs.readFileSync('/etc/ssl/private/private.key'),
    secureProtocol: 'SSLv23_server_method',
    secureOptions: constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3
    };
    https.createServer(sslOptions);
}

function bad1() {
    var constants = require('crypto');
    // ruleid: disallow-old-tls-versions2
    var sslOptions = {
    key: fs.readFileSync('/etc/ssl/private/private.key'),
    secureProtocol: 'SSLv23_server_method',
    secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3
    };
    https.createServer(sslOptions);
}

function bad2() {
    var constants = require('crypto');
    // ruleid: disallow-old-tls-versions2
    var sslOptions = {
    key: fs.readFileSync('/etc/ssl/private/private.key'),
    secureProtocol: 'SSLv23_server_method',
    secureOptions: constants.SSL_OP_NO_SSLv2
    };
    https.createServer(sslOptions);
}

function bad3() {
    var constants = require('crypto');
    // ruleid: disallow-old-tls-versions2
    var sslOptions = {
    key: fs.readFileSync('/etc/ssl/private/private.key'),
    secureProtocol: 'SSLv23_server_method',
    };
    https.createServer(sslOptions);
}

function bad4() {
    var constants = require('constants');
    // ruleid: disallow-old-tls-versions2
    var sslOptions = {
    key: fs.readFileSync('/etc/ssl/private/private.key'),
    secureProtocol: 'SSLv23_server_method',
    };
    https.createServer(sslOptions);
}