CVE-2019-7670
published 2019-07-01CVE-2019-7670: Prima Systems FlexAir, Versions 2.3.38 and prior. The application incorrectly neutralizes special elements that could modify the intended OS command when it is…
PriorityP261high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
18.31%
96.9th percentile
Prima Systems FlexAir, Versions 2.3.38 and prior. The application incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component, which could allow attackers to execute commands directly on the operating system.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| primasystems | flexair | <= 2.3.38 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests targeting the SetNTPServer endpoint with a 'Server' parameter containing shell metacharacters (e.g., pipe '|', semicolon ';') indicative of OS command injection. ↗
- →Detect outbound GET requests to the path /app/images/logos/stage.txt on the target device, which is used as a web-accessible drop zone to retrieve command output from the injected OS command. ↗
- →The exploit requires an authenticated session (Session-ID cookie/parameter). Correlate suspicious SetNTPServer calls with recently authenticated sessions, especially those followed immediately by GET requests to /app/images/logos/stage.txt. ↗
- →The device runs as uid=0(root); any successful exploitation results in full root-level OS command execution. Alert on process spawning from the web application process with root privileges on Prima FlexAir devices. ↗
- →Default service port observed in exploit examples is 8080. Monitor for HTTP traffic to Prima FlexAir devices on port 8080 with POST requests containing pipe or shell injection characters in NTP-related parameters. ↗
- ·Exploitation requires a valid authenticated Session-ID; unauthenticated exploitation is not possible. Ensure session management and credential hygiene are reviewed alongside patching. ↗
- ·Affected versions are 2.3.38 and prior. Verify the exact firmware version on deployed Prima FlexAir units before applying detection rules, as later versions may not be vulnerable. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Prima Systems FlexAir
cisa_ics·2019-07-30·CVSS 7.2
[HIGH] Prima Systems FlexAir
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Prima Systems FlexAir
Last RevisedJuly 30, 2019
Alert CodeICSA-19-211-02
## 1. EXECUTIVE SUMMARY
- CVSS v3 10.0
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: Prima Systems
- Equipment: FlexAir
- Vulnerabilities: OS Command Injection, Unrestricted Upload of File with Dangerous Type, Cross-site Request Forgery, Small Space of Random Values, Cross-site Scripting, Exposure of Backup file to Unauthorized Control Sphere, Improper Authentication, Use of Hard-coded Credentials
## 2. RISK EVALUATION
Exploitation of these vulnerabilities may allow an attacke
GHSA
GHSA-pqmc-5wjw-632r: Prima Systems FlexAir devices allow Authenticated Command Injection resulting in Root Remote Code Execution
ghsa_unreviewed·2022-05-24
CVE-2019-7670 [HIGH] CWE-78 GHSA-pqmc-5wjw-632r: Prima Systems FlexAir devices allow Authenticated Command Injection resulting in Root Remote Code Execution
Prima Systems FlexAir devices allow Authenticated Command Injection resulting in Root Remote Code Execution.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/155271/FlexAir-Access-Control-2.3.38-Remote-Root.htmlhttps://applied-risk.com/labs/advisorieshttps://www.us-cert.gov/ics/advisories/icsa-19-211-02https://www.applied-risk.com/resources/ar-2019-007http://packetstormsecurity.com/files/155271/FlexAir-Access-Control-2.3.38-Remote-Root.htmlhttps://applied-risk.com/labs/advisorieshttps://www.us-cert.gov/ics/advisories/icsa-19-211-02
2019-07-01
Published