CISA warns of critical flaws in Prima FlexAir access control system

The U.S. CISA published a security advisory to warn of multiple critical vulnerabilities affecting in Prima FlexAir access control system.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an advisory to warn of critical flaws affecting access control systems manufactured by Prima Systems.

Prima access control has a wide range of solutions, including wall-mounted readers, electronic lock cylinders, parking access control, and elevator control. The list of flaws includes OS Command Injection, Unrestricted Upload of File with Dangerous Type, Cross-site Request Forgery, Small Space of Random Values, Cross-site Scripting, Exposure of Backup file to Unauthorized Control Sphere, Improper Authentication, and Use of Hard-coded Credentials.

The flaws, reported by Gjoko Krstic of Applied Risk, could be easily exploited by remote attackers to gain full system access on affected systems, the issues affect Prima FlexAir Versions 2.3.38 and prior.

“Exploitation of these vulnerabilities may allow an attacker to execute commands directly on the operating system, upload malicious files, perform actions with administrative privileges, execute arbitrary code in a user’s browser, discover login credentials, bypass normal authentication, and have full system access,” reads the security advisory published by CISA.

The most severe vulnerability, tracked as CVE-2019-7670, is an OS command injection flaw.

“Prima Systems FlexAir, Versions 2.3.38 and prior. The application incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component, which could allow attackers to execute commands directly on the operating system.” reads the description for the flaw.

The vulnerability received a CVSS score of 10.

Another issue, tracked as CVE-2019-7669, is an improper validation of file extensions when uploading files that was rated as CVSS score of 9.1. The vulnerability could be exploited by a remote authenticated attacker to upload and execute malicious applications within the application’s web root with root privileges. 

Another critical issue, tracked as CVE-2019-7672, received a CVSS score of 8.8.

“The flash version of the web interface contains a hard-coded username and password, which may allow an authenticated attacker to escalate privileges.” reads the advisory published by the NIST.

The expert also discovered that the application generates database backup files with a predictable name. This issue, tracked as CVE-2019-7667 could be exploited by an attacker to carry out brute-force attacks to identify the database backup file name. The attacker could then download the database and disclose login information, then use it to gain full access to the system.

Prima Systems addressed these vulnerabilities with the release of the version 2.5.12. 

“To update to the latest firmware, each user should select the “Check for Upgrade” option in the “Centrals” menu in the GUI. The user’s controller will connect to the Prima Systems server and update to the latest version.” concludes the CISA advisory.

“CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Prima FlexAir, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]