LUCKY13 attack on Azure Front Door with TLS 1.2

Rasmus Larsen 25

Hi there,

We currently have a solution that utilizes the Front Door setup with a custom domain and an AFD managed certificate. It has been configured to meet the minimum requirement of TLS 1.2.

However, during a pen-test phase, it was discovered that the cipher suites used include CBC, which is outdated and susceptible to the LUCKY13 attack. Here is a reference link to the attack: https://crashtest-security.com/prevent-ssl-lucky13/

And here is the cipher suite documented for Front-Door: https://learn.microsoft.com/en-us/azure/frontdoor/end-to-end-tls?pivots=front-door-standard-premium#supported-cipher-suites

We would like to know if there is a way to disable these ciphers, and if not we are interested in any online documentation that describes how Microsoft prevents LUCKY13 attacks against Front Door.

Thank you.

ChaitanyaNaykodi-MSFT 22,701 Reputation points Microsoft Employee

2023-02-27T17:55:23.7166667+00:00

@Rasmus Larsen

I have reached out to the team internally regarding this issue and will make an update here as soon as I get a response. Thank you!
ChaitanyaNaykodi-MSFT 22,701 Reputation points Microsoft Employee

2023-03-04T00:06:15.7433333+00:00

@Rasmus Larsen

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Alexandre Ribeiro do Nascimento 1 Reputation point

2023-05-17T18:16:21.0966667+00:00

We found the same problem and are moving to another CDN+WAF vendor.

Those kind of limitations in Azure are drawing us back on its adoption.
David Hendrick 0 Reputation points

2023-12-07T14:28:05.3166667+00:00

Has there been any update to this?
Embers99 25 Reputation points

2024-04-10T14:26:11+00:00

Any update to this? Frontdoor currently fails our annual pen tests.

Accepted answer

ChaitanyaNaykodi-MSFT 22,701 Reputation points Microsoft Employee

2023-03-02T03:43:24.7433333+00:00

@Rasmus Larsen

Thank you for your patience here. I got a response back from the team.

Currently disabling specific ciphers is not supported for Azure Front Door. The team is working on this feature, and it will be rolled out soon.

The suggested work around in this case is to configure the client to not use the weak ciphers. Thank you!

Hope this helps!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
Chris Procter 11 Reputation points

2023-04-27T00:23:44.0766667+00:00

We have a client requesting similar alterations to cipher support. Do you have an ETA for this feature?

San 0 Reputation points

2023-06-20T15:45:58.1333333+00:00

@ChaitanyaNaykodi-MSFT an ETA would be very helpful for this feature. We are facing the same issue.

ChaitanyaNaykodi-MSFT 22,701 Reputation points Microsoft Employee

2023-07-03T21:46:38.94+00:00

@San @Chris Procter

The current target is to release this as preview feature by 4th quarter 2023.

apocalysque 0 Reputation points

2023-08-04T18:44:06.8433333+00:00

Any estimate on when this might be rolled out?

Victor Manuel Gutiérrez 0 Reputation points

2023-11-16T15:11:19.14+00:00

Any update on this?

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Embers99 25 Reputation points

2024-04-10T14:20:15.2533333+00:00

Just like various other security features (DNSSEC?) this one has not materialised either.
Sign in to comment

LUCKY13 attack on Azure Front Door with TLS 1.2

0 additional answers