This week, an advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) cautioned of numerous susceptibilities access control systems made by Prima Systems.
An operational component under Department of Homeland Security (DHS) reveals that the susceptibilities affect Prima FlexAir Versions 2.3.38 and past, and are thought to be Critical, as they can be misused remotely and do not need progressive hacking services.
Prima’s FlexAir is used to regulate access to features such as elevators, door locks, parking lot gates, and even mailboxes.
“Exploitation of these vulnerabilities may allow an attacker to execute commands directly on the operating system, upload malicious files, perform actions with administrative privileges, execute arbitrary code in a user’s browser, discover login credentials, bypass normal authentication, and have full system access,” CISA notes in an advisory.
The weaknesses were exposed by Applied Risk security researcher Gjoko Krstic, who published particulars on them in May (PDF). Krstic said that effective misuse may deliver an unauthenticated attacker with full system access.
The most significant of the faults is CVE-2019-7670, an OS command injection featuring a CVSS score of 10. The problem is that, when building an OS command using externally-influenced input, the application “incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.”
According to CISA’s advisory, the other significant flaw is CVE-2019-7669, an indecorous authentication of file delays when uploading files. Featuring a CVSS score of 9.1, the susceptibility could let a remote genuine attacker upload and perform spiteful applications within the application’s web root with root privileges.
A spate of verification issues were also exposed in the platform, including the fact that it lets verification using the MD5 hash value of the password (CVE-2019-7666 – CVSS score 7.5), or that the flash version of the web interface contains hard-coded username and password (CVE-2019-7672 – CVSS score 8.8).