CVE-2019-7666
published 2019-07-01CVE-2019-7666: Prima Systems FlexAir, Versions 2.3.38 and prior. The application allows improper authentication using the MD5 hash value of the password, which may allow an…
PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
14.82%
96.3th percentile
Prima Systems FlexAir, Versions 2.3.38 and prior. The application allows improper authentication using the MD5 hash value of the password, which may allow an attacker with access to the database to login as admin without decrypting the password.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| primasystems | flexair | <= 2.3.38 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP GET requests to paths matching /links/Nova_Config_*.bck or /links/Nova_Config_*.pdb3 and /Nova/assets/Nova_Config_*.bck — unauthenticated access to these paths indicates active exploitation of the predictable backup filename vulnerability. ↗
- →Detect authentication attempts where the password field contains a raw MD5 hash value (32-character hex string) rather than a plaintext password, indicating pass-the-hash style login abuse against the FlexAir application. ↗
- →Alert on SQLite queries targeting the 'users' table selecting 'usrloginname' and 'usrloginpassword' columns, particularly filtering on usrid values 1 or 2 (superadmin/sysadmin), as this is the credential harvesting step used by the exploit. ↗
- →Detect high-frequency sequential HTTP GET requests to /links/Nova_Config_<YYYY-MM-DD>.bck iterating over a date range (2017-01-01 to 2019-12-30), which is the brute-force enumeration pattern used by the exploit to find a valid backup file. ↗
- ·The vulnerability affects FlexAir versions 2.3.38 and prior; version 2.4 is noted as fixed. Ensure detections are scoped to unpatched deployments. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Prima Systems FlexAir
cisa_ics·2019-07-30·CVSS 7.2
[HIGH] Prima Systems FlexAir
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Prima Systems FlexAir
Last RevisedJuly 30, 2019
Alert CodeICSA-19-211-02
## 1. EXECUTIVE SUMMARY
- CVSS v3 10.0
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: Prima Systems
- Equipment: FlexAir
- Vulnerabilities: OS Command Injection, Unrestricted Upload of File with Dangerous Type, Cross-site Request Forgery, Small Space of Random Values, Cross-site Scripting, Exposure of Backup file to Unauthorized Control Sphere, Improper Authentication, Use of Hard-coded Credentials
## 2. RISK EVALUATION
Exploitation of these vulnerabilities may allow an attacke
GHSA
GHSA-2j6j-xh5r-gf2p: Prima Systems FlexAir devices allow authentication with MD5 hashes directly
ghsa_unreviewed·2022-05-24
CVE-2019-7666 [HIGH] CWE-287 GHSA-2j6j-xh5r-gf2p: Prima Systems FlexAir devices allow authentication with MD5 hashes directly
Prima Systems FlexAir devices allow authentication with MD5 hashes directly.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/155262/Prima-FlexAir-Access-Control-2.3.35-Database-Backup-Predictable-Name.htmlhttps://applied-risk.com/labs/advisorieshttps://www.applied-risk.com/resources/ar-2019-007https://www.us-cert.gov/ics/advisories/icsa-19-211-02http://packetstormsecurity.com/files/155262/Prima-FlexAir-Access-Control-2.3.35-Database-Backup-Predictable-Name.htmlhttps://applied-risk.com/labs/advisorieshttps://www.applied-risk.com/resources/ar-2019-007https://www.us-cert.gov/ics/advisories/icsa-19-211-02
2019-07-01
Published