Advisory ID: RCS20210707-0 Product: Artica Proxy VMWare Appliance Vendor/Manufacturer: ArticaTech (https://www.articatech.com) Affected Version(s): 4.30.000000 <=[SP273] Tested Version(s): 4.30.000000 [SP273] Vulnerability Type: Relative path traversal [CWE-23], Improper Limitation of a Pathname to a restricted Directory [CWE-22], [CWE 35], [CWE 36], [CAPEC-126] CVSS v3.1 Risk Level: High CVSS v3.1 Risk Score: 8.1 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS v3.0 Risk Level: High CVSS v3.0 Risk Score: 8.1 CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS v2.0 Risk Level: High CVSS v2.0 Base Score: 7.8 CVSS v2.0 Temporal Score: 6.1 CVSS v2.0 Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N CVSS v2.0 Temporal Vector: CVSS2#E:POC/RL:OF/RC:C Solution Status: Fixed in Version 4.30.000000 [SP273] Manufacturer Notification: 5th July 2021 Solution Date: 9th August 2021 Public Disclosure: 26.08.2021 CVE Reference: Author of Advisory: Heiko Feldhusen, Rheinmetall Cyber Solutions GmbH ####----####----####----####----####----####----####----####----####----####---- Vendor-Description: Artica Tech is a new French Software Publisher, an independant company, established in 2012. It is based near Paris in France. Artica project began in 2004 and stemmed from ideas about how to improve the Open Source security solutions available at the time, which were difficult and often expensive to implement and maintain Artica claim to provide a user-friendly Web interface. Today, with around 100.000 servers installed worldwide, Artica solutions are as relevant to small and medium-sized entreprises as they are to the largest of firms. Source: https://www.articatech.com/about-artica.php ####----####----####----####----####----####----####----####----####----####---- Product-Description: Artica V4 is an appliance based on Debian 10 Operating system. Your can install it on the Hardware or Virtual Machine of your choice and get a Web Gateway appliance within minutes. Artica embeds technologies such as Antivirus, URL Filtering, Web HTTP Proxy, Web Caching, Web Secure Proxy, SSH Gateway/Proxy, RDP Reverse Proxy, Firewall, SSL Inspection, Kerberos Authentication, Access Logging, Bandwidth Shaping, HTTP Compression, WAF (Web Application Firewall), Web traffic Load Balancing. Artica-Proxy claim to offer a full HTTP/HTTPS/FTP/SSH/RDP/VNC proxy infrastructure. Source: http://articatech.net/about-proxy.php ####----####----####----####----####----####----####----####----####----####---- Vulnerability Details: The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. This vulnerability allows to use the Web-filtering page to read any file on the system. This vulnerability exists in the used cgi function, which is a build in part of the proxy. This board has a security flaw in the CGI main.cgi that lets an attacker read arbitrary files with the privileges of the http daemon (usually root or nobody). We were able to read the passwd, so we assume the http deamon runs with root-priviledges. Source: https://cwe.mitre.org/data/definitions/23.html ####----####----####----####----####----####----####----####----####----####---- Proof of Concept (PoC): http://yourproxynamehere/cgi-bin/main.cgi? filename=/../../../../../../../../etc/passwd ####----####----####----####----####----####----####----####----####----####---- Solution: Fix provided from Artica Tech. Update to Version 4.30.000000 [SP273] ####----####----####----####----####----####----####----####----####----####---- Disclosure Timeline: 2021-06-28: Vulnerability discovered 2021-07-05: Vulnerability reported to manufacturer 2021-07-07: Patch released by manufacturer 2021-08-26: Public disclosure of vulnerability ####----####----####----####----####----####----####----####----####----####---- References: [1] Product website for Admin Columns https://www.articatech.com/about-proxy.php ####----####----####----####----####----####----####----####----####----####---- Credits: This vulnerability was discovered by Heiko Feldhusen. E-Mail: heiko D:O:T feldhusen () rheinmetall-cyber D.O.T solutions Public Key: https://keys.openpgp.org/vks/v1/by-fingerprint/2532144FBD175EAF6F9A314FC64DA4E4D3CDF74C ####----####----####----####----####----####----####----####----####----####---- Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. ####----####----####----####----####----####----####----####----####----####---- Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en ####----####----####----####----####----####----####----####----####----####---- Heiko Feldhusen ISOC Engineer Engineering Rheinmetall Cyber Solutions GmbH Rheinmetall Cyber Solutions GmbH Mary-Somerville-Str. 14, 28359 Bremen, Germany Sitz der Gesellschaft: Bremen Amtsgericht Bremen HRB 35995 Gesch?ftsf?hrung/Executive Board: Moritz Pichler, Jendrik Kreisel This email may contain confidential information. If you are not the intended addressee, or if the information provided in this email including any attachments) is evidently not destined for you, kindly inform us promptly and delete the message received in error (including any attachments) by erasing it from all your computers and other storage devices or media and destroying any hard copies thereof. Any unauthorized processing, forwarding, disclosure, distribution, divulgation, storage, printout or other use of this message or its attachment is prohibited. If your system is infected or otherwise bugged by any virus that is carried by this email, we disclaim any liability whatsoever for the ensuing loss or damage unless caused by our intention or gross negligence.