CVE-2019-7667
published 2019-07-01CVE-2019-7667: Prima Systems FlexAir, Versions 2.3.38 and prior. The application generates database backup files with a predictable name, and an attacker can use brute force…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.50%
90.3th percentile
Prima Systems FlexAir, Versions 2.3.38 and prior. The application generates database backup files with a predictable name, and an attacker can use brute force to identify the database backup file name. A malicious actor can exploit this issue to download the database file and disclose login information, which can allow the attacker to bypass authentication and have full access to the system.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| primasystems | flexair | <= 2.3.38 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP GET requests matching the pattern /links/Nova_Config_<YYYY-MM-DD>.bck or /links/Nova_Config_<YYYY-MM-DD_HH-MM>.pdb3 — sequential date-based brute-force of backup filenames is the core attack technique. ↗
- →Alert on unauthenticated HTTP 200 responses to requests for *.bck or *.pdb3 files under /links/ or /Nova/assets/ paths on the FlexAir web interface. ↗
- →Detect authentication bypass attempts using MD5 password hashes extracted from the downloaded SQLite database; look for login attempts with known default MD5 hashes for 'superadmin' and 'sysadmin' accounts. ↗
- →Query the 'users' table in any recovered SQLite .bck/.pdb3 backup for columns usrloginname and usrloginpassword to identify exposed credentials. ↗
- ·The backup file naming scheme changed between older and newer versions: older versions use /links/Nova_Config_<YYYY-MM-DD>.bck or /Nova/assets/Nova_Config_<YYYY-MM-DD>.bck, while newer (pre-fix) versions use /links/Nova_Config_<YYYY-MM-DD_HH-MM>.pdb3, requiring time-component brute-force as well. ↗
- ·The vulnerability is fixed in version 2.4 and later; systems running FlexAir 2.3.38 and prior remain exploitable. ↗
- ·Passwords are stored as unsalted MD5 hashes in the SQLite backup database, enabling direct pass-the-hash or rapid offline cracking for authentication bypass. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Prima Systems FlexAir
cisa_ics·2019-07-30·CVSS 7.2
[HIGH] Prima Systems FlexAir
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Prima Systems FlexAir
Last RevisedJuly 30, 2019
Alert CodeICSA-19-211-02
## 1. EXECUTIVE SUMMARY
- CVSS v3 10.0
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: Prima Systems
- Equipment: FlexAir
- Vulnerabilities: OS Command Injection, Unrestricted Upload of File with Dangerous Type, Cross-site Request Forgery, Small Space of Random Values, Cross-site Scripting, Exposure of Backup file to Unauthorized Control Sphere, Improper Authentication, Use of Hard-coded Credentials
## 2. RISK EVALUATION
Exploitation of these vulnerabilities may allow an attacke
GHSA
GHSA-q4q3-wx65-4j6j: Prima Systems FlexAir devices allow unauthenticated download of the database configuration backup due to a predictable name, resulting in authenticati
ghsa_unreviewed·2022-05-24
CVE-2019-7667 [CRITICAL] CWE-330 GHSA-q4q3-wx65-4j6j: Prima Systems FlexAir devices allow unauthenticated download of the database configuration backup due to a predictable name, resulting in authenticati
Prima Systems FlexAir devices allow unauthenticated download of the database configuration backup due to a predictable name, resulting in authentication bypass (a login authenticated with the MD5 hash of any user found in the database).
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/155262/Prima-FlexAir-Access-Control-2.3.35-Database-Backup-Predictable-Name.htmlhttps://applied-risk.com/labs/advisorieshttps://www.applied-risk.com/resources/ar-2019-007https://www.us-cert.gov/ics/advisories/icsa-19-211-02http://packetstormsecurity.com/files/155262/Prima-FlexAir-Access-Control-2.3.35-Database-Backup-Predictable-Name.htmlhttps://applied-risk.com/labs/advisorieshttps://www.applied-risk.com/resources/ar-2019-007https://www.us-cert.gov/ics/advisories/icsa-19-211-02
2019-07-01
Published