Vulnerability Discussion
It is important that Automation Controller NGINX web server debugging and trace information used to diagnose the web server is disabled, because debugging information can yield information about the Automation Controller NGINX webserver, like web server type, version, patches installed, plugins, modules, the hosted app’s code type. Back ends used for storage could be revealed, as well. An attacker would not need to cause an error condition to gain this information because they could reside in logs and general messages.
If debugging/trace information is enabled, attackers could get the information from logs and general information, without drawing attention to themselves via an error message.
Check
For each Automation Controller NGINX web server, a system administrator must check to determine if any error or debug information is being logged or generated:
NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` ; cat $NGINXCONF | grep '^\s*error_log' && echo FAILED
If "FAILED" is displayed, this is a finding.
Fix
For each Automation Controller NGINX web server, a system administrator must complete the following steps.
Verify the NGINX configuration file in use:
NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` ; echo $NGINXCONF
Remove the error_log directive from the NGINX configuration file.
Cause NGINX to reload its configuration file:
pkill -HUP nginx