Known Issue: FME Flow Directory Traversal Vulnerability

Liz Sanderson
Liz Sanderson
  • Updated
Known Issue ID FMEFLOW-20595
CVE CVE-2023-35801
Discovered FME Server 2022.1.1
Affects FME Server versions prior to 2022.2.5
Resolved  FME Server 2022.2.5 and FME Flow (formerly FME Server) 2023.0

FME Flow Hosted (formerly FME Cloud) instances are not affected, as network shared resources are disallowed on FME Flow instances running on FME Flow Hosted. We have not identified active exploitation of this vulnerability in any of our products.

Symptom

CVE-2023-35801: FME Flow (formerly FME Server) offers the capability to integrate various resources, including network-based resources. FME Flow validates if a given path for a network-based resource refers to a network-based resource by verifying the string's format. In some situations, a user account with write privileges can bypass the validation by modifying the string, allowing an attacker to break out of the FME Flow folder.


Cause

When creating a new resource connection, there is validation of the directory path value to prevent misuse of known paths; when editing the connection, the validation check is not performed.
 

Severity

Safe Software assesses the severity of this vulnerability as Medium, according to our calculated CVSS score of 5.7. This is Safe Software's assessment, and you should evaluate its applicability to your own IT environment.
 

Resolution 

Upgrade to FME Server 2022.2.5 or FME Flow 2023.0 or newer, where this issue has been resolved. See the Downloads page for the latest version and our documentation for upgrading instructions. If you need assistance upgrading, please contact one of our Partners
 

Workarounds

If you are unable to upgrade to FME Server 2022.2.5+ or FME Flow 2023.0+, we recommend the following workarounds:

1. FME Flow administrators can limit the permissions of Roles or individual User Accounts.

  • Select any Role or User Account on the User Management pages in the Web Interface and remove the ‘Create’ permission for Resources.
  • This will also limit the ability for users to create AWS S3 Resource Connections.
UserManagement.png


2. System administrators can configure the OS-level security permissions for the Service Account running FME Flow Services to have more restricted access to folders and files.

  • See the documentation for changing the Service Account running FME Flow Services.


3. System administrators can add the following parameter to the fmeServerConfig.txt file and restart FME Flow to remove the ability to create Network-based Resource Connections:

NETWORK_SHARED_RESOURCE_TYPE_DISABLED=true

 

Recognition 

We would like to thank TÜV TRUST IT TÜV Austria (Lejla Sarcevic, Simon Schönegger) for making this responsible disclosure and recognize their contribution to increasing the security standard of the FME Platform.
 

Reporting Security Issues

If you believe you have discovered a vulnerability in the FME Platform, our website, or our other products, please email us as quickly as possible at security at safe dot com.

We greatly appreciate the efforts of security researchers and discoverers who share information on security issues with us, giving us a chance to improve our products and better protect our users.

Please note that we do not compensate individuals or organizations for identifying potential or confirmed security vulnerabilities.
 

Support

If you have questions or concerns regarding this advisory, please raise a support request

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.