Login Sign Up

CVE-2019-7667

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

Prima Systems FlexAir access control systems generate database backup files with predictable names, allowing attackers to brute-force download these files. This exposes login credentials, enabling authentication bypass and full system access. Affects FlexAir versions 2.3.38 and earlier.

💻 Affected Systems

Products:
  • Prima Systems FlexAir Access Control
Versions: 2.3.38 and prior
Operating Systems: Not specified - likely embedded system
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations are vulnerable as predictable backup naming is inherent to the software.

📦 What is this software?

Flexair by Primasystems

View all CVEs affecting Flexair →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with administrative access, credential theft, and potential physical access control bypass.

🟠

Likely Case

Authentication bypass leading to unauthorized access to the access control system and sensitive data exposure.

🟢

If Mitigated

Limited impact if database backups are properly secured and network access is restricted.

🌐 Internet-Facing: HIGH - If exposed to internet, attackers can easily brute-force predictable backup filenames.
🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could still exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only HTTP access and simple brute-forcing of predictable filenames.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 2.3.39 or later

Vendor Advisory: https://www.applied-risk.com/resources/ar-2019-007

Restart Required: Yes

Instructions:

1. Contact Prima Systems for updated software version 2.3.39 or later. 2. Backup current configuration. 3. Apply the update following vendor instructions. 4. Restart the system. 5. Verify the fix.

🔧 Temporary Workarounds

Restrict network access

linux

Block external access to FlexAir web interface and backup directories

iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

Disable automatic backups

all

Turn off automatic database backup generation if not required

Check FlexAir configuration interface for backup settings

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate FlexAir systems from untrusted networks
  • Monitor web server logs for unusual access patterns to backup files

🔍 How to Verify

Check if Vulnerable:

Check if running FlexAir version 2.3.38 or earlier via web interface or system information

Check Version:

Check web interface at http://[system-ip]/status or similar endpoint

Verify Fix Applied:

Verify system is running version 2.3.39 or later and test if predictable backup files are accessible

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed requests to backup file patterns
  • Successful downloads of database backup files

Network Indicators:

  • HTTP requests to predictable backup filenames (e.g., backup_*.db, *.bak)

SIEM Query:

source="web_logs" AND (uri="*backup*" OR uri="*.db" OR uri="*.bak") AND status=200

📊 Metadata

CVE ID: CVE-2019-7667
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-330
Published: July 1, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-7667, you might also want to check these:

CVE-2023-2884 9.8

This vulnerability in CBOT Chatbot uses a weak pseudo-random number generator (PRNG) that allows att...

Same vulnerability type (CWE-330)
CVE-2021-36166 9.8

This vulnerability allows remote attackers to efficiently guess administrative authentication tokens...

Same vulnerability type (CWE-330)
CVE-2024-36389 9.8

MileSight DeviceHub uses insufficiently random values for authentication, potentially allowing attac...

Same vulnerability type (CWE-330)