Known Issue: FME Flow Secrets Encryption Weakness

Liz Sanderson
Liz Sanderson
  • Updated

FME Version

Known Issue IDs FMEFLOW-18670
FLOWHOSTED-2149
CVE Pending
Discovered 2022.0.1
Affects FME Server 2022.2.x or older and FME Flow 2023.0 (formerly FME Server) including FME Server/FME Flow instances running on FME Flow Hosted (formerly FME Cloud)
Resolved FME Flow (formerly FME Server) 2023.1+

We have not identified active exploitation of this vulnerability in any of our products.

Symptom

Weaknesses in the encryption scheme used for encrypting secrets in FME Flow (formerly FME Server) could be exploited to allow an attacker to gain unauthorized access to the server or environment. 
 

Cause

An adversary with read access to a configuration or backup file may be able to reverse engineer and decrypt sensitive data, such as passwords. 
 

Severity

Safe Software assesses the severity of this vulnerability as High, according to our calculated CVSS score of 7.2. This is our assessment, and you should evaluate its applicability to your own IT environment.
 

Resolution 

Upgrade to FME Flow 2023.1+ or newer, where this issue has been resolved. See the Downloads page for the latest version and our documentation for upgrading instructions. If you need assistance upgrading, please contact one of our Partners.
 

Workarounds

If you are unable to upgrade to FME Flow 2023.1+, we recommend the following workaround:

  • Configure the Encryption Mode for ‘System Encryption’ to Restricted. 
    • Remember to download and backup the System Encryption Key file, to ensure you can restore from a backup in the future. Without the key, you will not be able to decrypt sensitive data.
    • Please note that Encryption Mode options have been renamed in FME Flow 2023.1+ to:
      • “Restricted” → Standard (Recommended)
      • “Secure (Default)” → Weak

 

Recognition 

We would like to thank Malware Security for making this responsible disclosure and recognize their contribution to increasing the security standard of the FME Platform.
 

Reporting Security Issues

If you believe you have discovered a vulnerability in the FME Platform, our website, or our other products, please email us as quickly as possible at security at safe dot com.

We greatly appreciate the efforts of security researchers and discoverers who share information on security issues with us, giving us a chance to improve our products and better protect our users.

Please note that we do not compensate individuals or organizations for identifying potential or confirmed security vulnerabilities.
 

Support

If you have questions or concerns regarding this advisory, please raise a support request
 

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.