CVE-2018-20402 in FME Server
Summary
by MITRE
Safe Software FME Server through 2018.1 creates and enables three additional accounts in addition to the initial administrator account. The passwords to the three accounts are the same as the usernames, which are guest, user, and author. Logging in with these accounts will grant any user the default privilege roles that were also created for each of the accounts.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/23/2020
This vulnerability affects Safe Software FME Server version 2018.1 and earlier, presenting a significant security weakness through the automatic creation of default accounts with predictable credentials. The flaw manifests as an insecure default configuration where the software generates three additional user accounts beyond the initial administrator account, specifically named guest, user, and author. These accounts are created with passwords that match their respective usernames, creating a critical authentication weakness that violates fundamental security principles. The vulnerability stems from the software's design decision to preconfigure these accounts without requiring administrators to explicitly set secure passwords, effectively creating a backdoor that can be exploited by any attacker with basic knowledge of the system's default configuration.
The technical implementation of this vulnerability demonstrates poor security engineering practices, as the system automatically provisions accounts with weak credentials that are well-known to attackers. This design flaw enables unauthorized access to the FME Server environment through the default accounts, which are created during the initial installation process and remain active unless explicitly disabled or modified by the system administrator. The accounts are configured with default privilege roles that provide varying levels of access to the server's functionality, meaning that successful exploitation of this vulnerability can grant attackers different degrees of control depending on which account they compromise. This issue represents a classic example of insecure default configuration, where the software fails to enforce strong authentication mechanisms during the initial setup process.
The operational impact of this vulnerability is substantial, as it provides attackers with multiple potential entry points into the FME Server environment without requiring any specialized knowledge or advanced exploitation techniques. Any user who can access the system can attempt to log in using the default credentials for guest, user, or author accounts, potentially gaining unauthorized access to sensitive data processing capabilities. The vulnerability affects organizations that may not be aware of these default accounts being created, as they are typically not explicitly documented in the installation process and can remain active indefinitely. This creates an ongoing risk where unauthorized users could exploit these accounts to perform data manipulation, access restricted functionality, or potentially escalate privileges to the administrator level, depending on the specific role assignments for each default account.
Organizations should immediately address this vulnerability by disabling or removing the default accounts that are automatically created during installation, as recommended by the CWE-798 standard for insecure default passwords. The mitigation strategy should include ensuring that all default accounts are either deleted or have their passwords changed to strong, unique values that comply with industry security standards such as those outlined in the NIST SP 800-63B guidelines for authentication. System administrators should also implement monitoring procedures to detect any unauthorized access attempts to these default accounts and establish regular security audits to verify that no unauthorized accounts exist in the system. Additionally, organizations should consider implementing network segmentation and access controls to limit the exposure of the FME Server to unauthorized users, as specified in the MITRE ATT&CK framework's privilege escalation techniques. The vulnerability highlights the importance of secure configuration management and proper access control implementation, particularly in enterprise environments where data processing systems may be exposed to external threats.