• EN
Question

Possible security issue? CVE-2018-20402

  • 25 February 2019
  • 9 replies
  • 3 views
C

Hello, I was looking into FME Server when I noticed that there was a vulnerability listed for the software. It can be found here: https://nvd.nist.gov/vuln/detail/CVE-2018-20402

 

 

Has this been acknowledged?

9 replies

redgeographics
Rank
Userlevel 5
Badge +26

That (i.e. the creation of 3 default accounts fmeauthor, fmeuser and fmeguest) does indeed happen. Somebody with the fmeauthor account has permission to upload workspaces and run them, the other two only allow to run workspaces.

If you are concerned about this the easiest way to solve it is to either disable or delete those accounts, or change their passwords.

C

That (i.e. the creation of 3 default accounts fmeauthor, fmeuser and fmeguest) does indeed happen. Somebody with the fmeauthor account has permission to upload workspaces and run them, the other two only allow to run workspaces.

If you are concerned about this the easiest way to solve it is to either disable or delete those accounts, or change their passwords.

@redgeographics Great thank you! So the FME Team is aware that a CVE Advisory was created for this?

redgeographics
Rank
Userlevel 5
Badge +26

@redgeographics Great thank you! So the FME Team is aware that a CVE Advisory was created for this?

I don't know that, I am a Safe Software Partner, not an employee, but I'm sure @Mark2AtSafe can find that out.

david_r
Rank
Userlevel 5

I agree with @redgeographics about this being a known "issue", in so far it's only an issue if you don't follow best practices when installing production software.

I would also add that deleting the Samples repository is a good idea on production servers, you basically want to remove as much default behavior as possible to prevent any possible attack vector.

See also http://docs.safe.com/fme/html/FME_Server_Documentation/Content/AdminGuide/Securing_FME_Server.htm

mark2atsafe
Rank
Userlevel 4
Badge +26

I don't know that, I am a Safe Software Partner, not an employee, but I'm sure @Mark2AtSafe can find that out.

I've just asked our Server team and will let you know. But as you say, those accounts have no admin privileges at all. They wouldn't be able to carry out "unauthorized modification" to the system, as far as I can see. I do know that we're implementing new security for 2019 that involves tokens. I don't think it will avoid these accounts, but it does provide better ways to set up privileges. Keep an eye out on our blog and in our release webinars for more information.
david_r
Rank
Userlevel 5
I've just asked our Server team and will let you know. But as you say, those accounts have no admin privileges at all. They wouldn't be able to carry out "unauthorized modification" to the system, as far as I can see. I do know that we're implementing new security for 2019 that involves tokens. I don't think it will avoid these accounts, but it does provide better ways to set up privileges. Keep an eye out on our blog and in our release webinars for more information.

The biggest problem is the default 'author' user, since any workspace that is published through this user runs with the full rights of the engine account, which may be considerable.

Scenario 1: the engine runs under the default local system account. Someone creates a workspace that contains e.g. a Creator + SystemCaller and publishes it to the server using the 'author' user, making it possible to access, modify or delete any file on the server.

Scenario 2: the engine runs as a domain user so as to be able to read and write to different department groups on the network, including restricted groups such as HR, accounting etc. Using a Directory and File Pathnames reader a malicious user could easily iterate every file on the network shares and cherry pick which ones to read, modify or delete by publishing a very simple custom workspace.

In my opinion these scenarios are potentially much worse than somebody getting FME Server admin privileges.

My opinion is that the default users should come as disabled by default.

mark2atsafe
Rank
Userlevel 4
Badge +26

The biggest problem is the default 'author' user, since any workspace that is published through this user runs with the full rights of the engine account, which may be considerable.

Scenario 1: the engine runs under the default local system account. Someone creates a workspace that contains e.g. a Creator + SystemCaller and publishes it to the server using the 'author' user, making it possible to access, modify or delete any file on the server.

Scenario 2: the engine runs as a domain user so as to be able to read and write to different department groups on the network, including restricted groups such as HR, accounting etc. Using a Directory and File Pathnames reader a malicious user could easily iterate every file on the network shares and cherry pick which ones to read, modify or delete by publishing a very simple custom workspace.

In my opinion these scenarios are potentially much worse than somebody getting FME Server admin privileges.

My opinion is that the default users should come as disabled by default.

That (disabled by default) may well happen - and I believe it is already the case for FME Cloud. I've alerted the Server team to the situation and they are already tracking the issue (ref FMESERVER-10749). I think this gives them a little more encouragement to do something about this. We'll let you know when that happens.

david_r
Rank
Userlevel 5

That (disabled by default) may well happen - and I believe it is already the case for FME Cloud. I've alerted the Server team to the situation and they are already tracking the issue (ref FMESERVER-10749). I think this gives them a little more encouragement to do something about this. We'll let you know when that happens.

Excellent, thanks a lot for your help Mark!

rylanatsafe
Rank
Badge +11

We know that there has been some discussion concerning the default user accounts that FME Server ships with – namely the guest, user, and author accounts – and how these accounts are enabled by default with insecure passwords.

I'm pleased to share that we have taken two steps to reduce or eliminate this risk with FME Server 2020.0 (just released yesterday).

1. The guest, user, and author accounts are disabled for new installations of FME Server.

2. Password complexity is enabled by default to help ensure secure passwords are used for new user accounts.

Again, these changes are reflected for installations of FME Server 2020.0 or newer.

 

Thank you very much to those who contacted us through the FME Community or directly by email.

Reply


Community Stats

28,867
Posts
109,983
Replies
36,671
Members
Terms & ConditionsCookie settings
A product of
Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.