Merge pull request #347 from microsoft/users/chanely/deprecated-tls

Use of deprecated tls version

Author: chanel-y

powershell/ql/src/queries/security/cwe-757/DeprecatedTls.qhelp

@@ -0,0 +1,42 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+      TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols
+      used to secure network communications. Older versions of these protocols have known
+      vulnerabilities that can be exploited by attackers to compromise the confidentiality and
+      integrity of data in transit.
+    </p>
+    <p>
+      The following versions are considered deprecated:
+    </p>
+    <ul>
+      <li>SSL 3.0 is vulnerable to the POODLE attack and other weaknesses.</li>
+      <li>TLS 1.0 has known vulnerabilities including the BEAST attack and weak cipher suites.</li>
+      <li>TLS 1.1 lacks support for modern cryptographic algorithms and is deprecated by RFC 8996.</li>
+    </ul>
+  </overview>
+  <recommendation>
+    <p>
+      Use TLS 1.2 or TLS 1.3 for all secure communications. TLS 1.3 is preferred as it removes
+      support for legacy cryptographic features and provides improved performance. When configuring
+      <code>SecurityProtocolType</code>, use <code>Tls12</code> or <code>Tls13</code>.
+    </p>
+  </recommendation>
+  <example>
+    <p>
+      In the following example, the script enables the deprecated SSL 3.0 and TLS 1.0 protocols:
+    </p>
+    <sample src="examples/DeprecatedTls/DeprecatedTlsBad.ps1" />
+    <p>
+      The following example shows the corrected code using TLS 1.2:
+    </p>
+    <sample src="examples/DeprecatedTls/DeprecatedTlsGood.ps1" />
+  </example>
+  <references>
+    <li>IETF, RFC 8996: <a href="https://datatracker.ietf.org/doc/html/rfc8996">Deprecating TLS 1.0 and TLS 1.1</a>.</li>
+    <li>NIST, SP 800-52 Rev. 2: <a href="https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/final">Guidelines for the Selection, Configuration, and Use of TLS Implementations</a>.</li>
+    <li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html">Transport Layer Security Cheat Sheet</a>.</li>
+    <li>CWE-757: <a href="https://cwe.mitre.org/data/definitions/757.html">Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')</a>.</li>
+  </references>
+</qhelp>

powershell/ql/src/queries/security/cwe-757/DeprecatedTls.ql

@@ -0,0 +1,90 @@
+/**
+ * @name Use of deprecated TLS/SSL version
+ * @description Using deprecated TLS/SSL versions (SSL3, TLS 1.0, TLS 1.1) weakens transport security.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision high
+ * @id powershell/deprecated-tls
+ * @tags security
+ *       external/cwe/cwe-327
+ *       external/cwe/cwe-757
+ */
+
+import powershell
+import semmle.code.powershell.ApiGraphs
+import semmle.code.powershell.dataflow.DataFlow
+
+/**
+ * Gets the human-readable name for a deprecated protocol.
+ */
+bindingset[protocolName]
+string getProtocolDisplayName(string protocolName) {
+  protocolName = "ssl3" and result = "SSL 3.0"
+  or
+  protocolName = "tls" and result = "TLS 1.0"
+  or
+  protocolName = "tls11" and result = "TLS 1.1"
+}
+
+abstract class SecurityProtocol extends Expr {
+  abstract string getProtocolName();
+}
+
+/**
+ * A reference to a deprecated SecurityProtocolType enum value, e.g.
+ * [Net.SecurityProtocolType]::Ssl3
+ */
+class DeprecatedSecurityProtocolType extends SecurityProtocol {
+  string protocolName;
+
+  DeprecatedSecurityProtocolType() {
+    exists(API::Node node |
+      (
+        node =
+          API::getTopLevelMember("system")
+              .getMember("net")
+              .getMember("securityprotocoltype")
+              .getMember(protocolName)
+        or
+        node =
+          API::getTopLevelMember("net")
+              .getMember("securityprotocoltype")
+              .getMember(protocolName)
+      ) and
+      this = node.asSource().asExpr().getExpr()
+    )
+  }
+
+  override string getProtocolName() { result = protocolName }
+}
+
+/**
+ * A reference to a deprecated SslProtocols enum value, e.g.
+ * [System.Security.Authentication.SslProtocols]::Tls
+ */
+class DeprecatedSslProtocols extends SecurityProtocol {
+  string protocolName;
+
+  DeprecatedSslProtocols() {
+    exists(API::Node node |
+      node =
+        API::getTopLevelMember("system")
+            .getMember("security")
+            .getMember("authentication")
+            .getMember("sslprotocols")
+            .getMember(protocolName) and
+      this = node.asSource().asExpr().getExpr()
+    )
+  }
+
+  override string getProtocolName() { result = protocolName }
+}
+
+from SecurityProtocol sp, string protocolName
+where
+  protocolName = sp.getProtocolName() and 
+  protocolName = ["ssl3", "tls", "tls11"]
+select sp,
+  "Use of deprecated protocol " + getProtocolDisplayName(protocolName) +
+    ". Use TLS 1.2 or TLS 1.3 instead."

powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsBad.ps1

@@ -0,0 +1,8 @@
+# BAD: Using deprecated SSL 3.0
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Ssl3
+
+# BAD: Using deprecated TLS 1.0
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls
+
+# BAD: Using deprecated TLS 1.1
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls11

powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsGood.ps1

@@ -0,0 +1,5 @@
+# GOOD: Using TLS 1.2
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+
+# GOOD: Using TLS 1.3
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls13

powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.expected

@@ -0,0 +1,4 @@
+| test.ps1:6:47:6:78 | ssl3 | Use of deprecated protocol SSL 3.0. Use TLS 1.2 or TLS 1.3 instead. |
+| test.ps1:9:47:9:77 | tls | Use of deprecated protocol TLS 1.0. Use TLS 1.2 or TLS 1.3 instead. |
+| test.ps1:12:47:12:79 | tls11 | Use of deprecated protocol TLS 1.1. Use TLS 1.2 or TLS 1.3 instead. |
+| test.ps1:15:54:15:91 | tls | Use of deprecated protocol TLS 1.0. Use TLS 1.2 or TLS 1.3 instead. |

powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.qlref

@@ -0,0 +1 @@
+queries/security/cwe-757/DeprecatedTls.ql

powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/test.ps1

@@ -0,0 +1,25 @@
+# ===================================================================
+# ========== TRUE POSITIVES (should trigger alert) ==================
+# ===================================================================
+
+# --- Case 1: SSL 3.0 ---
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Ssl3 # BAD
+
+# --- Case 2: TLS 1.0 ---
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls # BAD
+
+# --- Case 3: TLS 1.1 ---
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls11 # BAD
+
+# --- Case 4: Full namespace TLS 1.0 ---
+[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls # BAD
+
+# ===================================================================
+# ========== TRUE NEGATIVES (should NOT trigger alert) ==============
+# ===================================================================
+
+# --- Safe: TLS 1.2 ---
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 # GOOD
+
+# --- Safe: TLS 1.3 ---
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls13 # GOOD