Prima access control has a wide range of solutions, including wall-mounted readers, electronic lock cylinders, parking access control, and elevator control. The list of flaws includes OS Command Injection, Unrestricted Upload of File with Dangerous Type, Cross-site Request Forgery, Small Space of Random Values, Cross-site Scripting, Exposure of Backup file to Unauthorized Control Sphere, Improper Authentication, and Use of Hard-coded Credentials.
The flaws, reported by Gjoko Krstic of Applied Risk, could be easily exploited by remote attackers to gain full system access on affected systems, the issues affect Prima FlexAir Versions 2.3.38 and prior.
“Exploitation of these vulnerabilities may allow an attacker to execute commands directly on the operating system, upload malicious files, perform actions with administrative privileges, execute arbitrary code in a user’s browser, discover login credentials, bypass normal authentication, and have full system access,” reads the security advisory published by CISA.
The most severe vulnerability, tracked as CVE-2019-7670, is an OS command injection flaw.
“Prima Systems FlexAir, Versions 2.3.38 and prior. The application incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component, which could allow attackers to execute commands directly on the operating system.” reads the description for the flaw.
The vulnerability received a CVSS score of 10.
Another issue, tracked as CVE-2019-7669, is an improper validation of file extensions when uploading files that was rated as
Another critical issue, tracked as CVE-2019-7672, received a CVSS score of 8.8.
“The flash version of the web interface contains a hard-coded username and password, which may allow an authenticated attacker to escalate privileges.” reads
The expert also discovered that the application generates database backup files with a predictable name. This issue, tracked as CVE-2019-7667 could be exploited by an attacker to carry out brute-force attacks to identify the database backup file name. The attacker could then download the database and disclose login information, then use it to gain full access to the system.
Prima Systems addressed these vulnerabilities with the release of the version 2.5.12.
“To update to the latest firmware, each user should select the “Check for Upgrade” option in the “Centrals” menu in the GUI. The user’s controller will connect to the Prima Systems server and update to the latest version.” concludes the CISA advisory.
“CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: