Skip to content

Commit 4b4bfd2

Browse files
supergickochris-rock
supergicko
authored and
chris-rock
committed
control for robotattack (#18)
Disabling TLS_RSA ciphers based on robotattack.org guide. Signed-off-by: Christoph Kappel <[email protected]>
1 parent 9c5240c commit 4b4bfd2

File tree

2 files changed

+26
-4
lines changed

2 files changed

+26
-4
lines changed

README.md

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
ssl-baseline
22
===================
33

4-
This Compliance Profile demonstrates the use of InSpec's [SSL resource](https://www.inspec.io/docs/reference/resources/ssl/)
4+
This Compliance Profile demonstrates the use of InSpec's [SSL resource](https://www.inspec.io/docs/reference/resources/ssl/) by enforcing strong TLS configuration.
55

66
The tests are based on
77
- [Mozillas TLS Guidelines](https://wiki.mozilla.org/Security/Server_Side_TLS)
@@ -13,16 +13,20 @@ The tests are based on
1313
Requires [InSpec](https://github.com/chef/inspec) 1.21.0 or newer for execution:
1414

1515
```
16-
$ git clone https://github.com/dev-sec/ssl-benchmark
17-
$ inspec exec ssl-benchmark
16+
$ git clone https://github.com/dev-sec/ssl-baseline
17+
$ inspec exec ssl-baseline
1818
```
1919

2020
You can also execute the profile directly from Github:
2121

2222
```
23-
$ inspec exec https://github.com/dev-sec/ssl-benchmark
23+
$ inspec exec https://github.com/dev-sec/ssl-baseline
2424
```
2525

26+
## Covered Attacks / Weaknesses
27+
28+
- [Return Of Bleichenbacher's Oracle Threat (ROBOT)](https://robotattack.org/)
29+
2630
## Contributors + Kudos
2731

2832
* Dominik Richter [arlimus](https://github.com/arlimus)

controls/ssl_test.rb

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -563,3 +563,21 @@
563563
end
564564
end
565565
end
566+
567+
control 'robotattack' do
568+
title "Return Of Bleichenbacher's Oracle Threat"
569+
desc 'ROBOT is the return of a 19-year-old vulnerability that allows performing RSA decryption and signing operations with the private key of a TLS server.'
570+
ref "Paper: Return Of Bleichenbacher's Oracle Threat (ROBOT)", url: 'https://ia.cr/2017/1189'
571+
tag 'sslattack', 'tlsattack'
572+
impact 0.5
573+
only_if { sslports.length > 0 }
574+
575+
sslports.each do |sslport|
576+
# create a description
577+
proc_desc = "on node == #{target_hostname} running #{sslport[:socket].process.inspect} (#{sslport[:socket].pid})"
578+
describe ssl(sslport).ciphers(/^TLS_RSA/i) do
579+
it(proc_desc) { should_not be_enabled }
580+
it { should_not be_enabled }
581+
end
582+
end
583+
end

0 commit comments

Comments
 (0)