Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-18435

Disabling of this cipher 3DES Azure-disk-csi-driver-controller (SWEET32)

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major Major
    • None
    • 4.11
    • Storage / Operators
    • None
    • Important
    • No
    • Proposed
    • False
    • Hide

      None

      Show
      None

      customer runs "nmap sV --script ssl-enum-ciphers -p 9201,9202,9203,9204,9205,9211 10.151.198.6" and 2 out of his 3 master nodes report:
      cipher preference: server
      warnings:
      64-bit block cipher 3DES vulnerable to SWEET32 attack

      We can see on his OpenShift 4.11 cluster this comes from the CSI driver, a running container on the OpenShift master nodes

      openshift-cluster-csi-drivers/apps/deployments.yaml
      k:

      {"containerPort":9201,"protocol":"TCP"}

      :

      --secure-listen-address=0.0.0.0:9201
      containerPort: 9201
      hostPort: 9201
      This is part of the azure-disk-csi-driver-controller. From its log:
      main.go:339] Starting TCP socket on 0.0.0.0:9201
      main.go:346] Listening securely on 0.0.0.0:9201
      http: TLS handshake error from 10.150.10.139:47650: read tcp 10.151.198.7:9201->10.150.10.139:47650: read: connection reset by peer

      summary:

      Scans are done from the internal network, from a workstation
      OpenShift runs in the Azure cloud
      Only master nodes are reported as vulnerable
      "curl -vvv -k $(oc whoami --show-server)" to a master only shows TLSv1.3
      "nmap sV --script ssl-enum-ciphers -p 9201,9202,9203,9204,9205,9211 10.151.198.6" shows 3DES and TLSv1.2

              jdobson@redhat.com Jonathan Dobson
              sasakshi@redhat.com Sakshi sakshi
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: