![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 42%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 96%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 71%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Hello Aarushi Saraswat
It looks like you're facing the TLS CBC Incorrect Padding Abuse Vulnerability issue with your Azure public IP that's linked to a bastion connection. This vulnerability typically arises from the way the Cipher Block Chaining (CBC) mode handles padding, making it susceptible to certain attacks.
To remediate this issue, here are some steps you can consider:
- Check Minimum TLS Version: Make sure that your Azure resources are configured to use a minimum TLS version of 1.2. Azure advises against using TLS 1.0 or 1.1 as they are being deprecated due to security concerns. You can check this setting in your Azure Portal under your resource's configuration settings.
Update Applications: Ensure that any applications communicating through this public IP are updated to use TLS 1.2 or higher. This may involve updating application frameworks (like .NET or Java) to versions that support modern TLS versions.
Review Cipher Suites: Ensure that your application is using secure cipher suites. Azure manages cipher suites automatically, but if you are using an Application Gateway or similar service, you may need to set allowed ciphers explicitly.
Further Testing: Consider running diagnostic tools to test your TLS connectivity. Tools like Qualys SSL Labs can provide detailed reports on supported protocols and cipher suites, which can help you identify any vulnerabilities.
Implement HMAC: If you have custom applications using CBC mode for encryption, consider implementing a keyed-hash message authentication code (HMAC) to ensure integrity checks are performed before decryption. This protects against padding oracle attacks.
Stay Updated: Keep an eye on updates from Microsoft regarding any changes or recommendations about Cipher Block Chaining and TLS security.
Reference List:
- Issues using minimum TLS version feature
- TLS version support in Azure Storage
- Microsoft Security Advisory 4338110
- Timing vulnerabilities with CBC-mode symmetric decryption using padding
- TLS Protocol Vulnerability - CVE-2012-1870
- Security Control v3: Network security
I hope this has been helpful!
If the above is unclear or you are unsure about something, please add a comment below.
If these answer your question, click "Upvote" and click "Accept Answer" which may be beneficial to other community members reading this thread.