Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Multiple Vulnerabilities in Adobe FrameMaker Publishing Server (FMPS) December 2022 release Update 2

Critical
← View More Research Advisories

Synopsis

Multiple vulnerabilities exist in Adobe FrameMaker Publishing Server (FMPS) December 2022 release Update 2 (17.0.2) and prior.

CVE-2024-30299 - FMPS API Authentication Bypass (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

FMPS 17.0.2 attempts to enforce authentication for API URL endpoints containing /server/queue and /server/tasks, but allows unauthenticated access for other URLs containing /server:

# login.js; URL matching is case sensitive 
module.exports = function () {
 return function (req, res, next) {
   var enableAuthentication = [
     '/server/queue',
     '/server/tasks',
     '/auth/register'
   ]
   var disableAuthentication = [
     '/connParams',
     '/workeridentifier',
     '/server',
     '/connectionParameter',
     '/auth/login',
     '/auth/ldap',
     '/doxserver'
   ]
   if (
     !disableAuthentication.some(function (v) {
       return req.path.includes(v)
     }) ||
     enableAuthentication.some(function (v) {
       return req.path.includes(v)
     })
   ) {
     jwtauth.jwtAuthenticate(req, res, next, function (founduser) {})
   } else {
     next()
   }
 }
}

The URL matching is performed in case sensitive manner. However, the URL matching in Node.js Express by default is not case sensitive:

# Router.js; URL matching is not case sensitive
var basePathbackend = '/server/'
[...]
app.use(basePathbackend + 'tasks', tasksapi)
[...]
app.use(basePathbackend + 'tasks/pre/', uploadpreapi)
app.use(basePathbackend + 'tasks/pre/', downloadpreapi)
app.use(basePathbackend + 'tasks/post/', uploadpostapi)
app.use(basePathbackend + 'tasks/post/', downloadpostapi)
[...]
app.use(basePathbackend + 'queue', queueapi)
[...]

As a result, an unauthenticated remote attacker can access protected FMPS API URLs containing /server/queue and /server/tasks with /server/Task and /server/Queue, respectively. With access to these APIs, the actions the attacker can perform include but is not limited to:

- View, add, update, delete, and schedule FMPS publication tasks
- Upload and download pre-publish and post-publish scripts associated with tasks
- Potentially execute attacker-controlled script (i.e., Windows batch file) on a FMPS client system

A FMPS publication task can contain user credentials to external systems when the input source or the output folder is located on an external system. In this case, the attacker can view user credentials to a Content Management System (CMS) such as Microsoft SharePoint, DitaExchange, or Adobe Experience Manager.

In addition, the attacker can upload a malicious script to the FMPS server, submit a publication task with a post-publish script linked to the malicious script, and schedule the task to be run on a client system. The attacker-supplied script can potentially be executed on the client system if the user specified in the task is currently logged into the FMPS server.

When a FMPS user successfully logs into the FMPS server, an access token is created and stored in the accessToken field in a document record for that user in the users collection in the stubFM MongoDB database. When the user logs out, the accessToken field is set to empty.

When the client (i.e., FrameMakerEx.exe) 'fetches' a task to run, the downloaded task includes information about the user who submitted the task. This user information is sourced from the users collection in the stubFM database. It includes the username, encrypted password, and access token (JWT) if present. The client would need the access token to access authenticated API URLs to properly communicate with the FMPS server. For example, it needs an valid access token to download the post-publish script associated with the task.

The attacker can learn about valid FMPS users by viewing existing tasks. If one of the valid users is currently logged in, the attacker can impersonate that user when submitting a task to the FMPS server, and the attacker-controlled script could then be executed on a client system under the security context of the account running FrameMakerEx.exe.

CVE-2024-30300 - Sensitive Information Disclosure Via Fake FMPS Worker (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

An unauthenticated remote attacker can register a host of his/her choosing as a worker/client for the FMPS server. The attacker can 'fetch' tasks submitted by legitimate users. An access token (JWT) for the user who submitted the task is included in the task. The attacker can use the access token to perform authenticated operations. For example, if the user has ADMIN permission the attacker can add another administrative FMPS user.

Solution

Apply vendor-supplied patch available here: https://helpx.adobe.com/framemaker-publishing-server/kb/fixed-issues.html

Additional References

https://helpx.adobe.com/security/products/framemaker-publishing-server/apsb24-38.html

Disclosure Timeline

March 6, 2024 - Tenable discloses to Adobe.
March 6, 2024 - Adobe acknowledges.
March 13, 2024 - Adobe confirms one issue and disputes the other.
March 15, 2024 - Tenable provides rebuttal.
March 20, 2024 - Adobe accepts rebuttal and acknowledges second issue.
April 19, 2024 - Tenable requests status update.
April 22, 2024 - Adobe states that status update has been requested from engineering team.
April 29, 2024 - Adobe states that patches are in progress.
May 22, 2024 - Tenable requests status update from Adobe.
May 24, 2024 - Adobe states planned patch release on May 31 and advisories on June 11. Adobe requests disclosure delay until June 11.
May 28, 2024 - Tenable reiterates intent to release advisory information alongside patches and requests CVE identifier information from Adobe.
May 29, 2024 - Adobe states releases are set for June 11.
May 30, 2024 - Tenable acknowledges.
June 6, 2024 - Tenable realizes that Adobe has released patches prior to coordinated disclosure date. Tenable publishes advisory and notified Adobe.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2024-21
Affected Products:
Adobe FrameMaker Publishing Server December 2022 Update 2 and prior
Risk Factor:
Critical

Advisory Timeline

June 6, 2024 - Initial release.
June 13, 2024 - Added references to vendor information and CVEs.
Try for Free Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Tenable Vulnerability Management trials created everywhere except UAE will also include Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Tenable Vulnerability Management trials created everywhere except UAE will also include Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Tenable Vulnerability Management trials created everywhere except UAE will also include Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try for Free Buy Now

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Buy Now
Renew an existing license | Find a reseller
Try for Free Buy Now

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training

Buy Now
Renew an existing license | Find a reseller