Vulnerability Discussion
Preventing the disclosure of transmitted information requires that the Automation Controller web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS).
Transmission of data can take place between the web server and a large number of devices/applications external to the web server. Examples are a web client used by a user, a backend database, an audit server, or other web servers in a web cluster.
If data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information.
Satisfies: SRG-APP-000439-WSR-000151, SRG-APP-000439-WSR-000152, SRG-APP-000442-WSR-000182, SRG-APP-000429-WSR-000113
Check
As a System Administrator for each Automation Controller NGINX web server host, enumerate all available server connections:
NGINXCONF=$(nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}')
grep '\s*listen'
NGINXCONF | grep -v ssl
Ensure each available server connection that does not use SSL upgrades this connection to use SSL via an allowed method:
- is redirected to an SSL server connection, e.g., "return 301 https://$host:443$request_uri";
- is rewritten to an SSL server URL, e.g., "rewrite ^ https://$host$request_uri? permanent;";
- is dropped silently;
- or used other organizationally approved connection handling.
Examine the NGINX configuration, for example:
vi $NGINXCONF
If any available server connection is not handled or upgraded to SSL via an organizationally approved method, this is a finding.
vi $NGINXCONF
If any available server connection is not handled or upgraded to SSL via an organizationally approved method, this is a finding.
Fix
As a System Administrator for each Automation Controller NGINX web server host, for each available server connection that is not handled or upgraded to SSL via an organizationally approved method, perform one of the following actions:
Remove the available server connections.
OR
Upgrade the connection via redirect to an SSL server connection.
OR
Rewrite the connection URL to an HTTPS server connection.
OR
Other organizationally defined handling method.
Reload the NGINX server configuration by executing the following:
pkill -HUP nginx
(Alternatively, reinstall Automation Controller for each web server host.)