SB2019073013 - Multiple vulnerabilities in Prima Systems FlexAir

Description

This security bulletin contains information about 9 secuirty vulnerabilities.

1) OS Command Injection (CVE-ID: CVE-2019-7670)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to the application incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. A remote attacker can execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Arbitrary file upload (CVE-ID: CVE-2019-7669)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to improper validation of file extensions when uploading files through the Python script upload. A remote authenticated attacker can upload python applications into directory within application’s web root and execute them with privileges of the web server.

3) Cross-site request forgery (CVE-ID: CVE-2019-7281)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

4) Small Space of Random Values (CVE-ID: CVE-2019-7280)

5) Stored cross-site scripting (CVE-ID: CVE-2019-7671)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to parameters sent to scripts are not properly sanitized before being returned to the user. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

6) Exposure of Backup File to an Unauthorized Control Sphere (CVE-ID: CVE-2019-7667)

7) Improper Authentication (CVE-ID: CVE-2019-7666)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the application allows improper authentication with the MD5 hash value of the password. A remote authenticated attacker can authenticate to the application without knowing the password of a specific username if previously obtained the database with all the MD5 hash passwords.

8) Use of hard-coded credentials (CVE-ID: CVE-2019-7672)

The vulnerability allows a remote attacker to gain full access to vulnerable system.

The vulnerability exists due to the flash version of the web interface contains a hard-coded username and password within the SWF file. A remote authenticated attacker can access the affected system using the hard-coded credentials and escalate privileges on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

9) Arbitrary file upload (CVE-ID: CVE-2019-9189)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to the application allows the upload of arbitrary Python scripts when configuring the main central controller. A remote authenticated administrator can  immediately execute these scripts and gain full access to the target system.

Remediation

Install update from vendor's website.

References

• https://applied-risk.com/labs/advisories
• https://www.applied-risk.com/resources/ar-2019-007
• https://applied-risk.com/resources/ar-2019-007