Possible security issue? CVE-2018-20402

That (i.e. the creation of 3 default accounts fmeauthor, fmeuser and fmeguest) does indeed happen. Somebody with the fmeauthor account has permission to upload workspaces and run them, the other two only allow to run workspaces.

If you are concerned about this the easiest way to solve it is to either disable or delete those accounts, or change their passwords.

@redgeographics Great thank you! So the FME Team is aware that a CVE Advisory was created for this?

I don't know that, I am a Safe Software Partner, not an employee, but I'm sure @Mark2AtSafe can find that out.

I agree with @redgeographics about this being a known "issue", in so far it's only an issue if you don't follow best practices when installing production software.

I would also add that deleting the Samples repository is a good idea on production servers, you basically want to remove as much default behavior as possible to prevent any possible attack vector.

See also http://docs.safe.com/fme/html/FME_Server_Documentation/Content/AdminGuide/Securing_FME_Server.htm

The biggest problem is the default 'author' user, since any workspace that is published through this user runs with the full rights of the engine account, which may be considerable.

Scenario 1: the engine runs under the default local system account. Someone creates a workspace that contains e.g. a Creator + SystemCaller and publishes it to the server using the 'author' user, making it possible to access, modify or delete any file on the server.

Scenario 2: the engine runs as a domain user so as to be able to read and write to different department groups on the network, including restricted groups such as HR, accounting etc. Using a Directory and File Pathnames reader a malicious user could easily iterate every file on the network shares and cherry pick which ones to read, modify or delete by publishing a very simple custom workspace.

In my opinion these scenarios are potentially much worse than somebody getting FME Server admin privileges.

My opinion is that the default users should come as disabled by default.

That (disabled by default) may well happen - and I believe it is already the case for FME Cloud. I've alerted the Server team to the situation and they are already tracking the issue (ref FMESERVER-10749). I think this gives them a little more encouragement to do something about this. We'll let you know when that happens.

Excellent, thanks a lot for your help Mark!

We know that there has been some discussion concerning the default user accounts that FME Server ships with – namely the guest, user, and author accounts – and how these accounts are enabled by default with insecure passwords.

I'm pleased to share that we have taken two steps to reduce or eliminate this risk with FME Server 2020.0 (just released yesterday).

1. The guest, user, and author accounts are disabled for new installations of FME Server.

2. Password complexity is enabled by default to help ensure secure passwords are used for new user accounts.

Again, these changes are reflected for installations of FME Server 2020.0 or newer.

Thank you very much to those who contacted us through the FME Community or directly by email.