Known Issue: FME Form Encryption Weaknesses

Liz Sanderson
Liz Sanderson
  • Updated

FME Version

Known Issue IDs FMEFORM-28748
FMEFORM-28749
FMEFORM-28750
CVE Pending
Discovered 2023.0.0.1
Affects All FME Form 2023.0 and FME Desktop* 2022.2 and prior versions
Resolved Remediation in progress; see available workarounds

*FME Desktop was renamed to FME Form for FME 2023.0
 

We have not identified active exploitation of this vulnerability in any of our products.

Symptom

Encryption weaknesses in FME Form (formerly FME Desktop) could be abused by an adversary to decrypt data and gain unauthorized access to a connected FME Flow (formerly FME Server) instance and other integrated systems.
 

Cause

An attacker with access to the user profile on the client machine could reverse engineer cryptographic functions to decrypt sensitive data, such as credentials. 
 

Severity

Safe Software assesses the severity of this vulnerability as Medium, according to our calculated CVSS score of 6.5. This is our assessment, and you should evaluate its applicability to your own IT environment.
 

Workarounds

At this time, we recommend the following workarounds. Each workaround individually prevents the current attack vector and are complementary.

  • Upgrade to FME Form 2023.1+, and delete the Java Key Store Files. This version no longer ships the Java libraries and allows deletion of the Java Key Store Files without issues.
    • To find the Java key store in FME 2023.1+ , go to Tools > FME Options > Default Paths, where you should see the location of the FME Key Store Files, and where the Java Key Store Files (ending in .jceks) are also located. Do not delete the FME Key Store Files (ending in .fmeks).
  • Configure FME to password protect the key store files.
  • Administrators can migrate the key store location to a directory requiring escalated privilege or restrict permissions on the file (e.g. change the permissions to ‘just me’).


Will I be notified when the fixed release is available?

You may subscribe to our mailing list to be notified when new downloads are available on our Downloads page, and this article will be updated accordingly.
 

Recognition 

We would like to thank Malware Security for making this responsible disclosure and recognize their contribution to increasing the security standard of the FME Platform.
 

Reporting Security Issues

If you believe you have discovered a vulnerability in the FME Platform, our website, or our other products, please email us as quickly as possible at security at safe dot com.

We greatly appreciate the efforts of security researchers and discoverers who share information on security issues with us, giving us a chance to improve our products and better protect our users.

Please note that we do not compensate individuals or organizations for identifying potential or confirmed security vulnerabilities.
 

Support

If you have questions or concerns regarding this advisory, please raise a support request
 

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.