Artica Proxy Unauthenticated File Manager Vulnerability

Vulnerability

The "Rich Filemanager" feature in Artica Proxy versions 4.40 and 4.50 provides a web-based file management interface. When enabled via the administrative interface, it spawns a listener on TCP port 5000 bound to all interfaces (0.0.0.0) without requiring authentication by default. The service runs as the root user, allowing complete file system access. The feature is disabled by default but can be activated by an administrator. [1]

Exploitation

An unauthenticated attacker can access the file manager web interface on port 5000/TCP. Since no authentication is required, the attacker can browse, upload, and modify files with root privileges. The attacker can add entries to /etc/shadow, /etc/passwd, and /etc/ssh/sshd_config to create a new root-level user account with SSH access. [1]

Impact

Successful exploitation grants an attacker complete control of the Artica Proxy system as root. The attacker can create persistent backdoor accounts, exfiltrate sensitive data, and further compromise the network. The vulnerability combines authentication bypass (CWE-288) with exposure of files and directories (CWE-552). [1]

Mitigation

As of the advisory publication date (2024-03-05), no fix has been released. The vendor has not provided a patch or workaround. Administrators should disable the "Rich Filemanager" feature if not required and restrict access to port 5000/TCP via firewall rules. Impacted versions are 4.40 and 4.50 on Debian 10 LTS. [1]