From ccd89e2e1be88ef59cbe2e84a94b20aca6cca51e Mon Sep 17 00:00:00 2001 From: Chanel Young Date: Fri, 24 Apr 2026 14:14:12 -0700 Subject: [PATCH] re-added deprecated TLS query --- .../security/cwe-757/DeprecatedTls.qhelp | 42 +++++++++ .../queries/security/cwe-757/DeprecatedTls.ql | 90 +++++++++++++++++++ .../DeprecatedTls/DeprecatedTlsBad.ps1 | 8 ++ .../DeprecatedTls/DeprecatedTlsGood.ps1 | 5 ++ .../DeprecatedTls/DeprecatedTls.expected | 4 + .../cwe-757/DeprecatedTls/DeprecatedTls.qlref | 1 + .../security/cwe-757/DeprecatedTls/test.ps1 | 25 ++++++ 7 files changed, 175 insertions(+) create mode 100644 powershell/ql/src/queries/security/cwe-757/DeprecatedTls.qhelp create mode 100644 powershell/ql/src/queries/security/cwe-757/DeprecatedTls.ql create mode 100644 powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsBad.ps1 create mode 100644 powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsGood.ps1 create mode 100644 powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.expected create mode 100644 powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.qlref create mode 100644 powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/test.ps1 diff --git a/powershell/ql/src/queries/security/cwe-757/DeprecatedTls.qhelp b/powershell/ql/src/queries/security/cwe-757/DeprecatedTls.qhelp new file mode 100644 index 000000000000..30a69582ce43 --- /dev/null +++ b/powershell/ql/src/queries/security/cwe-757/DeprecatedTls.qhelp @@ -0,0 +1,42 @@ + + + +

+ TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols + used to secure network communications. Older versions of these protocols have known + vulnerabilities that can be exploited by attackers to compromise the confidentiality and + integrity of data in transit. +

+

+ The following versions are considered deprecated: +

+
    +
  • SSL 3.0 is vulnerable to the POODLE attack and other weaknesses.
    • +
  • TLS 1.0 has known vulnerabilities including the BEAST attack and weak cipher suites.
    • +
  • TLS 1.1 lacks support for modern cryptographic algorithms and is deprecated by RFC 8996.
    • +
+ + +

+ Use TLS 1.2 or TLS 1.3 for all secure communications. TLS 1.3 is preferred as it removes + support for legacy cryptographic features and provides improved performance. When configuring + SecurityProtocolType, use Tls12 or Tls13. +

+ + +

+ In the following example, the script enables the deprecated SSL 3.0 and TLS 1.0 protocols: +

+ +

+ The following example shows the corrected code using TLS 1.2: +

+ + + +
  • IETF, RFC 8996: Deprecating TLS 1.0 and TLS 1.1.
    • +
  • NIST, SP 800-52 Rev. 2: Guidelines for the Selection, Configuration, and Use of TLS Implementations.
    • +
  • OWASP: Transport Layer Security Cheat Sheet.
    • +
  • CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade').
    • +     +     diff --git a/powershell/ql/src/queries/security/cwe-757/DeprecatedTls.ql b/powershell/ql/src/queries/security/cwe-757/DeprecatedTls.ql new file mode 100644 index 000000000000..c4faa4a23a32 --- /dev/null +++ b/powershell/ql/src/queries/security/cwe-757/DeprecatedTls.ql @@ -0,0 +1,90 @@ +/** + * @name Use of deprecated TLS/SSL version + * @description Using deprecated TLS/SSL versions (SSL3, TLS 1.0, TLS 1.1) weakens transport security. + * @kind problem + * @problem.severity error + * @security-severity 7.5 + * @precision high + * @id powershell/deprecated-tls + * @tags security + * external/cwe/cwe-327 + * external/cwe/cwe-757 + */ + +import powershell +import semmle.code.powershell.ApiGraphs +import semmle.code.powershell.dataflow.DataFlow + +/** + * Gets the human-readable name for a deprecated protocol. + */ +bindingset[protocolName] +string getProtocolDisplayName(string protocolName) { + protocolName = "ssl3" and result = "SSL 3.0" + or + protocolName = "tls" and result = "TLS 1.0" + or + protocolName = "tls11" and result = "TLS 1.1" +} + +abstract class SecurityProtocol extends Expr { + abstract string getProtocolName(); +} + +/** + * A reference to a deprecated SecurityProtocolType enum value, e.g. + * [Net.SecurityProtocolType]::Ssl3 + */ +class DeprecatedSecurityProtocolType extends SecurityProtocol { + string protocolName; + + DeprecatedSecurityProtocolType() { + exists(API::Node node | + ( + node = + API::getTopLevelMember("system") + .getMember("net") + .getMember("securityprotocoltype") + .getMember(protocolName) + or + node = + API::getTopLevelMember("net") + .getMember("securityprotocoltype") + .getMember(protocolName) + ) and + this = node.asSource().asExpr().getExpr() + ) + } + + override string getProtocolName() { result = protocolName } +} + +/** + * A reference to a deprecated SslProtocols enum value, e.g. + * [System.Security.Authentication.SslProtocols]::Tls + */ +class DeprecatedSslProtocols extends SecurityProtocol { + string protocolName; + + DeprecatedSslProtocols() { + exists(API::Node node | + node = + API::getTopLevelMember("system") + .getMember("security") + .getMember("authentication") + .getMember("sslprotocols") + .getMember(protocolName) and + this = node.asSource().asExpr().getExpr() + ) + } + + override string getProtocolName() { result = protocolName } +} + +from SecurityProtocol sp, string protocolName +where + protocolName = sp.getProtocolName() and + protocolName = ["ssl3", "tls", "tls11"] +select sp, + "Use of deprecated protocol " + getProtocolDisplayName(protocolName) + + ". Use TLS 1.2 or TLS 1.3 instead." diff --git a/powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsBad.ps1 b/powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsBad.ps1 new file mode 100644 index 000000000000..45a54ce3659a --- /dev/null +++ b/powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsBad.ps1 @@ -0,0 +1,8 @@ +# BAD: Using deprecated SSL 3.0 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Ssl3 + +# BAD: Using deprecated TLS 1.0 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls + +# BAD: Using deprecated TLS 1.1 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls11 diff --git a/powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsGood.ps1 b/powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsGood.ps1 new file mode 100644 index 000000000000..2d4160e11412 --- /dev/null +++ b/powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsGood.ps1 @@ -0,0 +1,5 @@ +# GOOD: Using TLS 1.2 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + +# GOOD: Using TLS 1.3 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls13 diff --git a/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.expected b/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.expected new file mode 100644 index 000000000000..ecc4a82a7d4b --- /dev/null +++ b/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.expected @@ -0,0 +1,4 @@ +| test.ps1:6:47:6:78 | ssl3 | Use of deprecated protocol SSL 3.0. Use TLS 1.2 or TLS 1.3 instead. | +| test.ps1:9:47:9:77 | tls | Use of deprecated protocol TLS 1.0. Use TLS 1.2 or TLS 1.3 instead. | +| test.ps1:12:47:12:79 | tls11 | Use of deprecated protocol TLS 1.1. Use TLS 1.2 or TLS 1.3 instead. | +| test.ps1:15:54:15:91 | tls | Use of deprecated protocol TLS 1.0. Use TLS 1.2 or TLS 1.3 instead. | diff --git a/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.qlref b/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.qlref new file mode 100644 index 000000000000..6ef6aa8af337 --- /dev/null +++ b/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.qlref @@ -0,0 +1 @@ +queries/security/cwe-757/DeprecatedTls.ql diff --git a/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/test.ps1 b/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/test.ps1 new file mode 100644 index 000000000000..49e2448be73d --- /dev/null +++ b/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/test.ps1 @@ -0,0 +1,25 @@ +# =================================================================== +# ========== TRUE POSITIVES (should trigger alert) ================== +# =================================================================== + +# --- Case 1: SSL 3.0 --- +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Ssl3 # BAD + +# --- Case 2: TLS 1.0 --- +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls # BAD + +# --- Case 3: TLS 1.1 --- +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls11 # BAD + +# --- Case 4: Full namespace TLS 1.0 --- +[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls # BAD + +# =================================================================== +# ========== TRUE NEGATIVES (should NOT trigger alert) ============== +# =================================================================== + +# --- Safe: TLS 1.2 --- +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 # GOOD + +# --- Safe: TLS 1.3 --- +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls13 # GOOD