Here is the my setup:
Self hosted ECE (version 3.7.2)
I have an ES cluster named APM
This cluster is using Fleet
After running a security scan, a vulnerability was found with the Fleet server. For the DES, 3DES cipher suites being allowed (SWEET32) on a docker mapped port for 0.0.0.0:18888->8220/tcp. I have confirmed this with the following command:
nmap --script ssl-enum-ciphers -p 18888 my.host.net
PORT STATE SERVICE
18888/tcp open unknown
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
|_ least strength: C
After looking at the github repository for fleet. I see there are options in the fleet-server.reference.yml file to adjust the ssl.supported_protocols and ssl.cipher_suites settings.
However, since this is a managed fleet integration server via ECE, I am not seeing a way to configure those settings. How do we resolve this vulnerability?