Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Multiple Vulnerabilities in Adobe FrameMaker Publishing Server (FMPS) December 2022 release Update 2

Critical

Synopsis

Multiple vulnerabilities exist in Adobe FrameMaker Publishing Server (FMPS) December 2022 release Update 2 (17.0.2) and prior.

CVE-2024-30299 - FMPS API Authentication Bypass (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

FMPS 17.0.2 attempts to enforce authentication for API URL endpoints containing /server/queue and /server/tasks, but allows unauthenticated access for other URLs containing /server:

# login.js; URL matching is case sensitive 
module.exports = function () {
 return function (req, res, next) {
   var enableAuthentication = [
     '/server/queue',
     '/server/tasks',
     '/auth/register'
   ]
   var disableAuthentication = [
     '/connParams',
     '/workeridentifier',
     '/server',
     '/connectionParameter',
     '/auth/login',
     '/auth/ldap',
     '/doxserver'
   ]
   if (
     !disableAuthentication.some(function (v) {
       return req.path.includes(v)
     }) ||
     enableAuthentication.some(function (v) {
       return req.path.includes(v)
     })
   ) {
     jwtauth.jwtAuthenticate(req, res, next, function (founduser) {})
   } else {
     next()
   }
 }
}

The URL matching is performed in case sensitive manner. However, the URL matching in Node.js Express by default is not case sensitive:

# Router.js; URL matching is not case sensitive
var basePathbackend = '/server/'
[...]
app.use(basePathbackend + 'tasks', tasksapi)
[...]
app.use(basePathbackend + 'tasks/pre/', uploadpreapi)
app.use(basePathbackend + 'tasks/pre/', downloadpreapi)
app.use(basePathbackend + 'tasks/post/', uploadpostapi)
app.use(basePathbackend + 'tasks/post/', downloadpostapi)
[...]
app.use(basePathbackend + 'queue', queueapi)
[...]

As a result, an unauthenticated remote attacker can access protected FMPS API URLs containing /server/queue and /server/tasks with /server/Task and /server/Queue, respectively. With access to these APIs, the actions the attacker can perform include but is not limited to:

- View, add, update, delete, and schedule FMPS publication tasks
- Upload and download pre-publish and post-publish scripts associated with tasks
- Potentially execute attacker-controlled script (i.e., Windows batch file) on a FMPS client system

A FMPS publication task can contain user credentials to external systems when the input source or the output folder is located on an external system. In this case, the attacker can view user credentials to a Content Management System (CMS) such as Microsoft SharePoint, DitaExchange, or Adobe Experience Manager.

In addition, the attacker can upload a malicious script to the FMPS server, submit a publication task with a post-publish script linked to the malicious script, and schedule the task to be run on a client system. The attacker-supplied script can potentially be executed on the client system if the user specified in the task is currently logged into the FMPS server.

When a FMPS user successfully logs into the FMPS server, an access token is created and stored in the accessToken field in a document record for that user in the users collection in the stubFM MongoDB database. When the user logs out, the accessToken field is set to empty.

When the client (i.e., FrameMakerEx.exe) 'fetches' a task to run, the downloaded task includes information about the user who submitted the task. This user information is sourced from the users collection in the stubFM database. It includes the username, encrypted password, and access token (JWT) if present. The client would need the access token to access authenticated API URLs to properly communicate with the FMPS server. For example, it needs an valid access token to download the post-publish script associated with the task.

The attacker can learn about valid FMPS users by viewing existing tasks. If one of the valid users is currently logged in, the attacker can impersonate that user when submitting a task to the FMPS server, and the attacker-controlled script could then be executed on a client system under the security context of the account running FrameMakerEx.exe.

CVE-2024-30300 - Sensitive Information Disclosure Via Fake FMPS Worker (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

An unauthenticated remote attacker can register a host of his/her choosing as a worker/client for the FMPS server. The attacker can 'fetch' tasks submitted by legitimate users. An access token (JWT) for the user who submitted the task is included in the task. The attacker can use the access token to perform authenticated operations. For example, if the user has ADMIN permission the attacker can add another administrative FMPS user.

Solution

Apply vendor-supplied patch available here: https://helpx.adobe.com/framemaker-publishing-server/kb/fixed-issues.html

Disclosure Timeline

March 6, 2024 - Tenable discloses to Adobe.
March 6, 2024 - Adobe acknowledges.
March 13, 2024 - Adobe confirms one issue and disputes the other.
March 15, 2024 - Tenable provides rebuttal.
March 20, 2024 - Adobe accepts rebuttal and acknowledges second issue.
April 19, 2024 - Tenable requests status update.
April 22, 2024 - Adobe states that status update has been requested from engineering team.
April 29, 2024 - Adobe states that patches are in progress.
May 22, 2024 - Tenable requests status update from Adobe.
May 24, 2024 - Adobe states planned patch release on May 31 and advisories on June 11. Adobe requests disclosure delay until June 11.
May 28, 2024 - Tenable reiterates intent to release advisory information alongside patches and requests CVE identifier information from Adobe.
May 29, 2024 - Adobe states releases are set for June 11.
May 30, 2024 - Tenable acknowledges.
June 6, 2024 - Tenable realizes that Adobe has released patches prior to coordinated disclosure date. Tenable publishes advisory and notified Adobe.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2024-21
Affected Products:
Adobe FrameMaker Publishing Server December 2022 Update 2 and prior
Risk Factor:
Critical

Advisory Timeline

June 6, 2024 - Initial release.
June 13, 2024 - Added references to vendor information and CVEs.