Detection Content: Artica Proxy vulnerabilities

By today’s post, we want to inform you about several vulnerabilities recently discovered in Artica Proxy, a system enabling users with basic technical skills to manage a proxy server in a transparent mode, as well as connection to AD and OpenLDAP, version 4.30.

The freshly reported CVE-2020-17506 vulnerability of Artica Proxy enables hackers to abuse the system’s API and remotely bypass authentication and get super admin privileges.

After the hackers penetrate into the compromised system with root privileges and receive the command of the web back-end, they can inject commands in a PHP file, as reported as CVE-2020-17505. The shell injection and straight-line access to the compromised system is often tantamount to full application compromise since attackers get hold of rights to make major changes to the system.

Users of SOC Prime Threat Detection Marketplace can detect the reported vulnerabilities with community Sigma rules published by Halil Ibrahim Cosgun:

Artica Web Proxy Authentication Bypass (CVE-2020-17506)

Artica Web Proxy Authenticated OS Command Injection (CVE-2020-17505)

The rules have translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Carbon Black

MITRE ATT&CK: 

Tactics: Initial Access

Techniques: Exploit Public-Facing Application (T1190)


Ready to try out SOC Prime TDM? Sign up for free.

Or join Threat Bounty Program to craft your own content and share it with the TDM community.