Curl SSL/TLS configuration should be chosen carefully

Pierre-Loup · August 27, 2018, 2:21pm

Introduction
This new feature suggestion comes from a custom rules set dedicated to PHP and Drupal 8 security.

Description
curl's versions of SSL/TLS protocols and cypher suites must be chosen carrefuly.

Impact
Changing SSL/TLS configuration at runtime may lead to security miscofiguration :

Deprecated protocol version :
- CURL_SSLVERSION_SSLv2
- CURL_SSLVERSION_SSLv3
- CURL_SSLVERSION_TLSv1
- CURL_SSLVERSION_TLSv1_0
- CURL_SSLVERSION_TLSv1_1
Weak or broken cipher suites :
- To be determined. It may be safer to keep curl's default configuration.

Noncompliant Code Example

curl_setopt($curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv3);
curl_setopt($curl, CURLOPT_SSL_CIPHER_LIST, "AES128-SHA:RC2-CBC-MD5:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5")

Compliant Solution

curl_setopt($curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);

References

MITRE CWE-327 - Inadequate Encryption Strength
MITRE CWE-326 - Use of a Broken or Risky Cryptographic Algorithm
OWASP Top 10 2017 Category A6 - Security Misconfiguration

Type
Vulnerability

Tags
cwe, owasp-a6

Alexandre_Gigleux · September 7, 2018, 3:59pm

Thanks for the suggestion @Pierre-Loup.

I decided to extend the rule S4423 to cover the case of curl_setopt.

Here is the implementation ticket: https://jira.sonarsource.com/browse/SONARPHP-825

Note:
I’ve just noticed that “Noncompliant Code Example” and “Compliant Solution” are wrong here so I fixed https://jira.sonarsource.com/browse/RSPEC-4715 so that it is corrected next time we do a release of SonarPHP.

Regards

Pierre-Loup · September 24, 2018, 10:56am

Rule as been added to sonarPHP.
https://github.com/SonarSource/sonar-php/pull/342

pynicolas · September 24, 2018, 12:02pm

Thanks a lot for your contribution @Pierre-Loup!