Advisory ID:                                       RCS20210707-0
Product:                                              Artica Proxy VMWare Appliance
Vendor/Manufacturer:                 ArticaTech (https://www.articatech.com)
Affected Version(s):                       4.30.000000 <=[SP273]
Tested Version(s):                          4.30.000000 [SP273]
Vulnerability Type:                         Relative path traversal [CWE-23], Improper Limitation of a Pathname to a restricted Directory [CWE-22], [CWE 35], [CWE 36], [CAPEC-126]
CVSS v3.1 Risk Level:                     High
CVSS v3.1 Risk Score:                     8.1
CVSS v3.1 Vector:                           CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS v3.0 Risk Level:                     High
CVSS v3.0 Risk Score:                     8.1
CVSS v3.0 Vector:                           CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS v2.0 Risk Level:                     High
CVSS v2.0 Base Score:                   7.8
CVSS v2.0 Temporal Score:          6.1
CVSS v2.0 Vector:                            CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N
CVSS v2.0 Temporal Vector:       CVSS2#E:POC/RL:OF/RC:C
Solution Status:                                Fixed in Version 4.30.000000 [SP273]
Manufacturer Notification:         5th July 2021
Solution Date:                                  9th August 2021
Public Disclosure:                            26.08.2021
CVE Reference:
Author of Advisory:                        Heiko Feldhusen, Rheinmetall Cyber Solutions GmbH

####----####----####----####----####----####----####----####----####----####----

Vendor-Description:

Artica Tech is a new French Software Publisher, an independant company, established in 2012.
It is based near Paris in France.
Artica project began in 2004 and stemmed from ideas about how to improve the Open Source security
solutions available at the time, which were difficult and often expensive to implement and maintain
Artica claim to provide a user-friendly Web interface.
Today, with around 100.000 servers installed worldwide, Artica solutions are as relevant
to small and medium-sized entreprises as they are to the largest of firms.

Source:
https://www.articatech.com/about-artica.php


####----####----####----####----####----####----####----####----####----####----

Product-Description:

Artica V4 is an appliance based on Debian 10 Operating system.
Your can install it on the Hardware or Virtual Machine of your choice and get a Web Gateway
appliance within minutes.

Artica embeds technologies such as

    Antivirus,
    URL Filtering,
    Web HTTP Proxy,
    Web Caching,
    Web Secure Proxy,
    SSH Gateway/Proxy,
    RDP Reverse Proxy,
    Firewall,
    SSL Inspection,
    Kerberos Authentication,
    Access Logging,
    Bandwidth Shaping,
    HTTP Compression,
    WAF (Web Application Firewall),
    Web traffic Load Balancing.

Artica-Proxy claim to offer a full HTTP/HTTPS/FTP/SSH/RDP/VNC proxy infrastructure.

Source:
http://articatech.net/about-proxy.php

####----####----####----####----####----####----####----####----####----####----

Vulnerability Details:

The software uses external input to construct a pathname that should be within a restricted directory,
but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.


This vulnerability allows to use the Web-filtering page to read any file on the system.


This vulnerability exists in the used cgi function, which is a build in part of the proxy.
This board has a security flaw in the CGI main.cgi that lets an attacker read arbitrary files with the privileges of the http daemon (usually root or nobody).
We were able to read the passwd, so we assume the http deamon runs with root-priviledges.


Source:
https://cwe.mitre.org/data/definitions/23.html

####----####----####----####----####----####----####----####----####----####----

Proof of Concept (PoC):
http://yourproxynamehere/cgi-bin/main.cgi? filename=/../../../../../../../../etc/passwd


####----####----####----####----####----####----####----####----####----####----

Solution:
Fix provided from Artica Tech.
Update to Version 4.30.000000 [SP273]
####----####----####----####----####----####----####----####----####----####----

Disclosure Timeline:

2021-06-28: Vulnerability discovered
2021-07-05: Vulnerability reported to manufacturer
2021-07-07: Patch released by manufacturer
2021-08-26: Public disclosure of vulnerability

####----####----####----####----####----####----####----####----####----####----

References:

[1] Product website for Admin Columns
    https://www.articatech.com/about-proxy.php



####----####----####----####----####----####----####----####----####----####----

Credits:

This vulnerability was discovered by Heiko Feldhusen.

E-Mail: heiko D:O:T feldhusen () rheinmetall-cyber D.O.T solutions

Public Key: https://keys.openpgp.org/vks/v1/by-fingerprint/2532144FBD175EAF6F9A314FC64DA4E4D3CDF74C

####----####----####----####----####----####----####----####----####----####----

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible.

####----####----####----####----####----####----####----####----####----####----

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

####----####----####----####----####----####----####----####----####----####----

Heiko Feldhusen
ISOC Engineer
Engineering
Rheinmetall Cyber Solutions GmbH

Rheinmetall Cyber Solutions GmbH
Mary-Somerville-Str. 14, 28359 Bremen, Germany  Sitz der Gesellschaft: Bremen
Amtsgericht Bremen HRB 35995
Gesch?ftsf?hrung/Executive Board:
Moritz Pichler, Jendrik Kreisel
This email may contain confidential information. If you are not the intended addressee, or if the information provided in this email including any attachments) is evidently not destined for you, kindly inform us promptly and delete the message received in error (including any attachments) by erasing it from all your computers and other storage devices or media and destroying any hard copies thereof. Any unauthorized processing, forwarding, disclosure, distribution, divulgation, storage, printout or other use of this message or its attachment is prohibited. If your system is infected or otherwise bugged by any virus that is carried by this email, we disclaim any liability whatsoever for the ensuing loss or damage unless caused by our intention or gross negligence.