Prima access control has a wide range of solutions, including wall-mounted readers, electronic lock cylinders, parking access control, and elevator control. The list of flaws includes OS Command Injection, Unrestricted Upload of File with Dangerous Type, Cross-site Request Forgery, Small Space of Random Values, Cross-site Scripting, Exposure of Backup file to Unauthorized Control Sphere, Improper Authentication, and Use of Hard-coded Credentials.
The flaws, reported by Gjoko Krstic of Applied Risk, could be easily exploited by remote attackers to gain full system access on affected systems, the issues affect Prima FlexAir Versions 2.3.38 and prior.
“Exploitation of these vulnerabilities may allow an attacker to execute commands directly on the operating system, upload malicious files, perform actions with administrative privileges, execute arbitrary code in a user’s browser, discover login credentials, bypass normal authentication, and have full system access,” reads the security advisory published by CISA.
The most severe vulnerability, tracked as CVE-2019-7670, is an OS command injection flaw.
“Prima Systems FlexAir, Versions 2.3.38 and prior. The application incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component, which could allow attackers to execute commands directly on the operating system.” reads the description for the flaw.
The vulnerability received a CVSS score of 10.
Another issue, tracked as CVE-2019-7669, is an improper validation of file extensions when uploading files that was rated as
Another critical issue, tracked as CVE-2019-7672, received a CVSS score of 8.8.
“The flash version of the web interface contains a hard-coded username and password, which may allow an authenticated attacker to escalate privileges.” reads
The expert also discovered that the application generates database backup files with a predictable name. This issue, tracked as CVE-2019-7667 could be exploited by an attacker to carry out brute-force attacks to identify the database backup file name. The attacker could then download the database and disclose login information, then use it to gain full access to the system.
Prima Systems addressed these vulnerabilities with the release of the version 2.5.12.
“To update to the latest firmware, each user should select the “Check for Upgrade” option in the “Centrals” menu in the GUI. The user’s controller will connect to the Prima Systems server and update to the latest version.” concludes the CISA advisory.
“CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.