Skip to main content
Question

Possible security issue? CVE-2018-20402

  • February 25, 2019
  • 9 replies
  • 13 views

Hello, I was looking into FME Server when I noticed that there was a vulnerability listed for the software. It can be found here: https://nvd.nist.gov/vuln/detail/CVE-2018-20402

 

 

Has this been acknowledged?
This post is closed to further activity.
It may be an old question, an answered question, an implemented idea, or a notification-only post.
Please check post dates before relying on any information in a question or answer.
For follow-up or related questions, please post a new question or idea.
If there is a genuine update to be made, please contact us and request that the post is reopened.

9 replies

redgeographics
Celebrity
Forum|alt.badge.img+58

That (i.e. the creation of 3 default accounts fmeauthor, fmeuser and fmeguest) does indeed happen. Somebody with the fmeauthor account has permission to upload workspaces and run them, the other two only allow to run workspaces.

If you are concerned about this the easiest way to solve it is to either disable or delete those accounts, or change their passwords.


  • Author
  • February 25, 2019
redgeographics wrote:

That (i.e. the creation of 3 default accounts fmeauthor, fmeuser and fmeguest) does indeed happen. Somebody with the fmeauthor account has permission to upload workspaces and run them, the other two only allow to run workspaces.

If you are concerned about this the easiest way to solve it is to either disable or delete those accounts, or change their passwords.

@redgeographics Great thank you! So the FME Team is aware that a CVE Advisory was created for this?


redgeographics
Celebrity
Forum|alt.badge.img+58
cfinley wrote:

@redgeographics Great thank you! So the FME Team is aware that a CVE Advisory was created for this?

I don't know that, I am a Safe Software Partner, not an employee, but I'm sure @Mark2AtSafe can find that out.


david_r
Celebrity
  • February 26, 2019

I agree with @redgeographics about this being a known "issue", in so far it's only an issue if you don't follow best practices when installing production software.

I would also add that deleting the Samples repository is a good idea on production servers, you basically want to remove as much default behavior as possible to prevent any possible attack vector.

See also http://docs.safe.com/fme/html/FME_Server_Documentation/Content/AdminGuide/Securing_FME_Server.htm


mark2atsafe
Safer
Forum|alt.badge.img+56
  • Safer
  • February 26, 2019
redgeographics wrote:

I don't know that, I am a Safe Software Partner, not an employee, but I'm sure @Mark2AtSafe can find that out.

I've just asked our Server team and will let you know. But as you say, those accounts have no admin privileges at all. They wouldn't be able to carry out "unauthorized modification" to the system, as far as I can see. I do know that we're implementing new security for 2019 that involves tokens. I don't think it will avoid these accounts, but it does provide better ways to set up privileges. Keep an eye out on our blog and in our release webinars for more information.

david_r
Celebrity
  • February 26, 2019
mark2atsafe wrote:
I've just asked our Server team and will let you know. But as you say, those accounts have no admin privileges at all. They wouldn't be able to carry out "unauthorized modification" to the system, as far as I can see. I do know that we're implementing new security for 2019 that involves tokens. I don't think it will avoid these accounts, but it does provide better ways to set up privileges. Keep an eye out on our blog and in our release webinars for more information.

The biggest problem is the default 'author' user, since any workspace that is published through this user runs with the full rights of the engine account, which may be considerable.

Scenario 1: the engine runs under the default local system account. Someone creates a workspace that contains e.g. a Creator + SystemCaller and publishes it to the server using the 'author' user, making it possible to access, modify or delete any file on the server.

Scenario 2: the engine runs as a domain user so as to be able to read and write to different department groups on the network, including restricted groups such as HR, accounting etc. Using a Directory and File Pathnames reader a malicious user could easily iterate every file on the network shares and cherry pick which ones to read, modify or delete by publishing a very simple custom workspace.

In my opinion these scenarios are potentially much worse than somebody getting FME Server admin privileges.

My opinion is that the default users should come as disabled by default.


mark2atsafe
Safer
Forum|alt.badge.img+56
  • Safer
  • February 26, 2019
david_r wrote:

The biggest problem is the default 'author' user, since any workspace that is published through this user runs with the full rights of the engine account, which may be considerable.

Scenario 1: the engine runs under the default local system account. Someone creates a workspace that contains e.g. a Creator + SystemCaller and publishes it to the server using the 'author' user, making it possible to access, modify or delete any file on the server.

Scenario 2: the engine runs as a domain user so as to be able to read and write to different department groups on the network, including restricted groups such as HR, accounting etc. Using a Directory and File Pathnames reader a malicious user could easily iterate every file on the network shares and cherry pick which ones to read, modify or delete by publishing a very simple custom workspace.

In my opinion these scenarios are potentially much worse than somebody getting FME Server admin privileges.

My opinion is that the default users should come as disabled by default.

That (disabled by default) may well happen - and I believe it is already the case for FME Cloud. I've alerted the Server team to the situation and they are already tracking the issue (ref FMESERVER-10749). I think this gives them a little more encouragement to do something about this. We'll let you know when that happens.


david_r
Celebrity
  • February 27, 2019
mark2atsafe wrote:

That (disabled by default) may well happen - and I believe it is already the case for FME Cloud. I've alerted the Server team to the situation and they are already tracking the issue (ref FMESERVER-10749). I think this gives them a little more encouragement to do something about this. We'll let you know when that happens.

Excellent, thanks a lot for your help Mark!


rylanatsafe
Safer
Forum|alt.badge.img+14

We know that there has been some discussion concerning the default user accounts that FME Server ships with – namely the guest, user, and author accounts – and how these accounts are enabled by default with insecure passwords.

I'm pleased to share that we have taken two steps to reduce or eliminate this risk with FME Server 2020.0 (just released yesterday).

1. The guest, user, and author accounts are disabled for new installations of FME Server.

2. Password complexity is enabled by default to help ensure secure passwords are used for new user accounts.

Again, these changes are reflected for installations of FME Server 2020.0 or newer.

 

Thank you very much to those who contacted us through the FME Community or directly by email.


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings