LUCKY13 attack on Azure Front Door with TLS 1.2

Question

LUCKY13 attack on Azure Front Door with TLS 1.2

Rasmus Larsen 25

Hi there,

We currently have a solution that utilizes the Front Door setup with a custom domain and an AFD managed certificate. It has been configured to meet the minimum requirement of TLS 1.2.

However, during a pen-test phase, it was discovered that the cipher suites used include CBC, which is outdated and susceptible to the LUCKY13 attack. Here is a reference link to the attack: https://crashtest-security.com/prevent-ssl-lucky13/

And here is the cipher suite documented for Front-Door: https://learn.microsoft.com/en-us/azure/frontdoor/end-to-end-tls?pivots=front-door-standard-premium#supported-cipher-suites

We would like to know if there is a way to disable these ciphers, and if not we are interested in any online documentation that describes how Microsoft prevents LUCKY13 attacks against Front Door.

Thank you.

ChaitanyaNaykodi-MSFT 15,961 Reputation points Microsoft Employee

2023-02-27T17:55:23.7166667+00:00

@Rasmus Larsen

I have reached out to the team internally regarding this issue and will make an update here as soon as I get a response. Thank you!
ChaitanyaNaykodi-MSFT 15,961 Reputation points Microsoft Employee

2023-03-04T00:06:15.7433333+00:00

@Rasmus Larsen

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Alexandre Socas 1 Reputation point

2023-05-17T18:16:21.0966667+00:00

We found the same problem and are moving to another CDN+WAF vendor.

Those kind of limitations in Azure are drawing us back on its adoption.

ChaitanyaNaykodi-MSFT 15,961 Reputation points Microsoft Employee

2023-02-27T17:55:23.7166667+00:00

@Rasmus Larsen

I have reached out to the team internally regarding this issue and will make an update here as soon as I get a response. Thank you!
ChaitanyaNaykodi-MSFT 15,961 Reputation points Microsoft Employee

2023-03-04T00:06:15.7433333+00:00

@Rasmus Larsen

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Alexandre Socas 1 Reputation point

2023-05-17T18:16:21.0966667+00:00

We found the same problem and are moving to another CDN+WAF vendor.

Those kind of limitations in Azure are drawing us back on its adoption.

Answer 1

ChaitanyaNaykodi-MSFT 15,961 Microsoft Employee

@Rasmus Larsen

Thank you for your patience here. I got a response back from the team.

Currently disabling specific ciphers is not supported for Azure Front Door. The team is working on this feature, and it will be rolled out soon.

The suggested work around in this case is to configure the client to not use the weak ciphers. Thank you!

Hope this helps!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Chris Procter 11 Reputation points

2023-04-27T00:23:44.0766667+00:00

We have a client requesting similar alterations to cipher support. Do you have an ETA for this feature?
San 0 Reputation points

2023-06-20T15:45:58.1333333+00:00

@ChaitanyaNaykodi-MSFT an ETA would be very helpful for this feature. We are facing the same issue.
ChaitanyaNaykodi-MSFT 15,961 Reputation points Microsoft Employee

2023-07-03T21:46:38.94+00:00

@San @Chris Procter

The current target is to release this as preview feature by 4th quarter 2023.
apocalysque 0 Reputation points

2023-08-04T18:44:06.8433333+00:00

Any estimate on when this might be rolled out?

LUCKY13 attack on Azure Front Door with TLS 1.2

0 additional answers

Activity