- The access control system by Prima Systems was plagued by major vulnerabilities including OS command injection, cross-site scripting, and more.
- The flaws affected Prima FlexAir 2.3.38 and earlier versions. However, Prima Systems has fixed them in the latest release -- version 2.5.12.
Prima FlexAir, an access control platform developed by Prima Systems, was found to have a string of security vulnerabilities. The flaws were discovered by security researcher Gjoko Krstic of Applied Risk. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory regarding the security issues in FlexAir. A total of nine flaws were detailed in the advisory by CISA.
- The flaws identified in Prima FlexAir are OS command injection, file upload vulnerability, cross-site request forgery, cross-site scripting, random values error, backup file exposure, improper authentication and use of hard-coded credentials issues.
- The OS command injection flaw (CVE-2019-7670) was the most critical one among them. It has a CVSS v3 score of 10. It could allow attackers to execute commands directly on the operating system.
- Other major flaws following the command injection issue were the file upload vulnerability (CVE-2019-7669), the use of hard-coded credentials and backup file exposure flaw (CVE-2019-7667).
- The nine flaws impacted FlexAir 2.3.38 and earlier versions. Prima Systems has patched them in version 2.5.12.
What is the impact?
In the advisory, CISA describes the risks of exploitation due to these flaws. “Exploitation of these vulnerabilities may allow an attacker to execute commands directly on the operating system, upload malicious files, perform actions with administrative privileges, execute arbitrary code in a user’s browser, discover login credentials, bypass normal authentication, and have full system access,” reads the advisory.
The agency has advised users to update to versions 2.5.12 and has also recommended measures to reduce exploitation.