CVE-2020-13159

Vulnerability

Artica Proxy before version 4.30.000000 Community Edition contains an OS command injection vulnerability in the administrative web interface. The injection can be triggered via the Netbios name, Server domain name, dhclient_mac, Hostname, or Alias fields. These fields are processed without adequate sanitization, allowing an attacker to inject arbitrary operating system commands [1].

Exploitation

An attacker must have valid administrative credentials to access the configuration interface where these fields are present. No user interaction beyond the administrator saving the configuration is required. The attacker provides a crafted value containing command injection syntax (e.g., using backticks or semicolons) in one of the vulnerable fields. When the system processes the configuration, the injected commands are executed within the context of the web application [1].

Impact

Successful exploitation results in arbitrary OS command execution with the privileges of the web server process (typically root on appliance installations). This can lead to full compromise of the proxy server, including data exfiltration, installation of additional malware, or use of the appliance as a pivot point within the network [1].

Mitigation

The vendor released version 4.30.000000 which addresses this issue. Users should upgrade to this version or later. For users unable to upgrade, restricting administrative access to the web interface via network segmentation and strong authentication is recommended as a partial workaround. This CVE may overlap with CVE-2020-10818 [1].