Multiple Vulnerabilities in Adobe FrameMaker Publishing Server (FMPS) December 2022 release Update 2

Multiple vulnerabilities exist in Adobe FrameMaker Publishing Server (FMPS) December 2022 release Update 2 (17.0.2) and prior.

CVE-2024-30299 - FMPS API Authentication Bypass (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

FMPS 17.0.2 attempts to enforce authentication for API URL endpoints containing /server/queue and /server/tasks, but allows unauthenticated access for other URLs containing /server:

# login.js; URL matching is case sensitive 
module.exports = function () {
 return function (req, res, next) {
   var enableAuthentication = [
     '/server/queue',
     '/server/tasks',
     '/auth/register'
   ]
   var disableAuthentication = [
     '/connParams',
     '/workeridentifier',
     '/server',
     '/connectionParameter',
     '/auth/login',
     '/auth/ldap',
     '/doxserver'
   ]
   if (
     !disableAuthentication.some(function (v) {
       return req.path.includes(v)
     }) ||
     enableAuthentication.some(function (v) {
       return req.path.includes(v)
     })
   ) {
     jwtauth.jwtAuthenticate(req, res, next, function (founduser) {})
   } else {
     next()
   }
 }
}

The URL matching is performed in case sensitive manner. However, the URL matching in Node.js Express by default is not case sensitive:

# Router.js; URL matching is not case sensitive
var basePathbackend = '/server/'
[...]
app.use(basePathbackend + 'tasks', tasksapi)
[...]
app.use(basePathbackend + 'tasks/pre/', uploadpreapi)
app.use(basePathbackend + 'tasks/pre/', downloadpreapi)
app.use(basePathbackend + 'tasks/post/', uploadpostapi)
app.use(basePathbackend + 'tasks/post/', downloadpostapi)
[...]
app.use(basePathbackend + 'queue', queueapi)
[...]

As a result, an unauthenticated remote attacker can access protected FMPS API URLs containing /server/queue and /server/tasks with /server/Task and /server/Queue, respectively. With access to these APIs, the actions the attacker can perform include but is not limited to:

- View, add, update, delete, and schedule FMPS publication tasks
- Upload and download pre-publish and post-publish scripts associated with tasks
- Potentially execute attacker-controlled script (i.e., Windows batch file) on a FMPS client system

A FMPS publication task can contain user credentials to external systems when the input source or the output folder is located on an external system. In this case, the attacker can view user credentials to a Content Management System (CMS) such as Microsoft SharePoint, DitaExchange, or Adobe Experience Manager.

In addition, the attacker can upload a malicious script to the FMPS server, submit a publication task with a post-publish script linked to the malicious script, and schedule the task to be run on a client system. The attacker-supplied script can potentially be executed on the client system if the user specified in the task is currently logged into the FMPS server.

When a FMPS user successfully logs into the FMPS server, an access token is created and stored in the accessToken field in a document record for that user in the users collection in the stubFM MongoDB database. When the user logs out, the accessToken field is set to empty.

When the client (i.e., FrameMakerEx.exe) 'fetches' a task to run, the downloaded task includes information about the user who submitted the task. This user information is sourced from the users collection in the stubFM database. It includes the username, encrypted password, and access token (JWT) if present. The client would need the access token to access authenticated API URLs to properly communicate with the FMPS server. For example, it needs an valid access token to download the post-publish script associated with the task.

The attacker can learn about valid FMPS users by viewing existing tasks. If one of the valid users is currently logged in, the attacker can impersonate that user when submitting a task to the FMPS server, and the attacker-controlled script could then be executed on a client system under the security context of the account running FrameMakerEx.exe.

CVE-2024-30300 - Sensitive Information Disclosure Via Fake FMPS Worker (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

An unauthenticated remote attacker can register a host of his/her choosing as a worker/client for the FMPS server. The attacker can 'fetch' tasks submitted by legitimate users. An access token (JWT) for the user who submitted the task is included in the task. The attacker can use the access token to perform authenticated operations. For example, if the user has ADMIN permission the attacker can add another administrative FMPS user.