The Automation Controller NGINX web server must employ cryptographic mechanisms (TLS/DTLS/SSL) to prevent the unauthorized disclosure of information during transmission.

STIG ID: APWS-AT-000850  |  SRG: SRG-APP-000439-WSR-000151 |  Severity: high |  CCI: CCI-002418,CCI-002422,CCI-002476 |  Vulnerability Id: V-256963 | 

Vulnerability Discussion

Preventing the disclosure of transmitted information requires that the Automation Controller web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS).

Transmission of data can take place between the web server and a large number of devices/applications external to the web server. Examples are a web client used by a user, a backend database, an audit server, or other web servers in a web cluster.

If data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information.

Satisfies: SRG-APP-000439-WSR-000151, SRG-APP-000439-WSR-000152, SRG-APP-000442-WSR-000182, SRG-APP-000429-WSR-000113

Check

As a System Administrator for each Automation Controller NGINX web server host, enumerate all available server connections:

NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` ; grep '\s*listen'
NGINXCONF | grep -v ssl

Ensure each available server connection that does not use SSL upgrades this connection to use SSL via an allowed method:

- is redirected to an SSL server connection, e.g., "return 301 https://$host:443$request_uri";
- is rewritten to an SSL server URL, e.g., "rewrite ^ https://$host$request_uri? permanent;";
- is dropped silently;
- or used other organizationally approved connection handling.

Examine the NGINX configuration, for example:

vi $NGINXCONF

If any available server connection is not handled or upgraded to SSL via an organizationally approved method, this is a finding.

Fix

As a System Administrator for each Automation Controller NGINX web server host, for each available server connection that is not handled or upgraded to SSL via an organizationally approved method, perform one of the following actions:

Remove the available server connections.
OR
Upgrade the connection via redirect to an SSL server connection.
OR
Rewrite the connection URL to an HTTPS server connection.
OR
Other organizationally defined handling method.

Reload the NGINX server configuration.

pkill -HUP nginx

Alternatively, reinstall Automation Controller for each web server host.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.