This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi Team,
Need urgent help with documentation regarding fixing of Lucky-13 Vulnerability [CVE-2013-0169] raised for Azure WAFv2 which is impacting Go-Live for Customer.
As per the recommendation, it requires TLS 1.3 to fix but WAF v2 does not support it seems.
It is quite disappointing where we dont have proper documentation on such vulnerability fixes and it is creating impression to Customer to Not Opt for Azure Products with out proper security fixes.
@Girish Namala , Appreciate your patience. You can implement AEAD cipher suites such as AES-GCM. The support for these ciphers was introduced in TLS 1.2 in order prevent the LUCKY13 attack.
----------
Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.
@suvasara-MSFT Thanks for the reply, can you please help with any documentation how to implement AEAD Cipher suites over WAF v2 SSL Policy.
As of now the SSL Policy defined is Pre-defined [AppGwSslPolicy20170401S]., where the respective AES GCM is already part of the Ciphers.
Cipher suites
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
@Girish Namala , Selecting the highlighted cipher suits to your listener configuration should solve this issue,
As mentioned in my earlier comment, the Ciphers mentioned in the image are already part of the "Predefined Policy" do you suggest further changes?
@Girish Namala , Apologies for the delay in response. The above-mentioned ciphers should be enough to avoid Lucky 13 vulnerability attacks. Please let us know if you need further help.
If you think your question has been answered, click "Mark as Answer" if just helped click "Vote as helpful". This can be beneficial to other community members reading this forum thread.
Best regards
Subhash