Known Issue ID | FMEFLOW-20595 |
---|---|
CVE | CVE-2023-35801 |
Discovered | FME Server 2022.1.1 |
Affects | FME Server versions prior to 2022.2.5 |
Resolved | FME Server 2022.2.5 and FME Flow (formerly FME Server) 2023.0 |
FME Flow Hosted (formerly FME Cloud) instances are not affected, as network shared resources are disallowed on FME Flow instances running on FME Flow Hosted. We have not identified active exploitation of this vulnerability in any of our products.
Symptom
CVE-2023-35801: FME Flow (formerly FME Server) offers the capability to integrate various resources, including network-based resources. FME Flow validates if a given path for a network-based resource refers to a network-based resource by verifying the string's format. In some situations, a user account with write privileges can bypass the validation by modifying the string, allowing an attacker to break out of the FME Flow folder.
Cause
When creating a new resource connection, there is validation of the directory path value to prevent misuse of known paths; when editing the connection, the validation check is not performed.
Severity
Safe Software assesses the severity of this vulnerability as Medium, according to our calculated CVSS score of 5.7. This is Safe Software's assessment, and you should evaluate its applicability to your own IT environment.
Resolution
Upgrade to FME Server 2022.2.5 or FME Flow 2023.0 or newer, where this issue has been resolved. See the Downloads page for the latest version and our documentation for upgrading instructions. If you need assistance upgrading, please contact one of our Partners.
Workarounds
If you are unable to upgrade to FME Server 2022.2.5+ or FME Flow 2023.0+, we recommend the following workarounds:
1. FME Flow administrators can limit the permissions of Roles or individual User Accounts.
- Select any Role or User Account on the User Management pages in the Web Interface and remove the ‘Create’ permission for Resources.
- This will also limit the ability for users to create AWS S3 Resource Connections.
2. System administrators can configure the OS-level security permissions for the Service Account running FME Flow Services to have more restricted access to folders and files.
- See the documentation for changing the Service Account running FME Flow Services.
3. System administrators can add the following parameter to the fmeServerConfig.txt file and restart FME Flow to remove the ability to create Network-based Resource Connections:
NETWORK_SHARED_RESOURCE_TYPE_DISABLED=true
Recognition
We would like to thank TÜV TRUST IT TÜV Austria (Lejla Sarcevic, Simon Schönegger) for making this responsible disclosure and recognize their contribution to increasing the security standard of the FME Platform.
Reporting Security Issues
If you believe you have discovered a vulnerability in the FME Platform, our website, or our other products, please email us as quickly as possible at security at safe dot com.
We greatly appreciate the efforts of security researchers and discoverers who share information on security issues with us, giving us a chance to improve our products and better protect our users.
Please note that we do not compensate individuals or organizations for identifying potential or confirmed security vulnerabilities.
Support
If you have questions or concerns regarding this advisory, please raise a support request.
Comments
0 comments
Please sign in to leave a comment.