Headline
HID Mercury access control vulnerabilities leave door open to lock manipulation
Manufacturer addresses threat to integrity and availability of physical access systems sold by LenelS2
Manufacturer addresses threat to integrity and availability of physical access systems sold by LenelS2
UPDATED Attackers could remotely unlock doors in critical infrastructure facilities by exploiting recently patched vulnerabilities in LenelS2 access control panels, security researchers have claimed.
Sam Quinn and Steve Povolny from Trellix Threat Labs uncovered eight security flaws in the industrial control system (ICS) technology, which is manufactured by HID Mercury and resold under LenelS2 branding, that “allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms, and undermine logging and notification systems”, they said in a technical write-up.
In a security advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) said that successful exploitation could allow “monitoring of all communications sent to and from the device, modification of onboard relays, changing of configuration files, device instability, and a denial-of-service condition”.
However, Carrier told The Daily Swig that Trellix’s “method of scoring (CVSS) is subjective and does not capture or reflect actual operational risk based on the manufacturer’s recommended installation requirements.”
Chain reaction
The findings emerged from a penetration test in which Quinn and Povolny combined known and novel hardware hacking techniques to manipulate on-board components and achieve root access to the device’s Linux operating system.
Then the duo conducted reverse engineering and live debugging to discover the remotely exploitable flaws, two of which they chained to exploit the access control board and remotely gain root-level privileges. This enabled them to create a program that could run alongside the legitimate firmware and unlock any door and subvert system monitoring.
The researchers captured the exploit in the video below:
The vulnerable panels are used in government, healthcare, transportation, and education settings, among other sectors, and can be integrated with complex building automation deployments.
Bug breakdown
The flaws include a critical unauthenticated buffer overflow leading to remote code execution (RCE) that earned a maximum severity score of CVSS 10.0 (CVE-2022-31481).
The second most severe issue, a critical command injection bug notching a CVSS of 9.6 (CVE-2022-31479), could see an unauthenticated attacker “update the hostname with a specially crafted name, allowing shell command execution during the core collection process”, explained CISA.
Catch up on the latest hardware security news
Scoring CVSS 9.1, another critical, arbitrary file write issue (CVE-2022-31483) meant “an authenticated attacker can manipulate a filename to achieve the ability to upload the desired file anywhere on the filesystem”.
And a high severity authenticated command injection with a CVSS rating of 8.8 (CVE-2022-31486) due to improper neutralization of special elements was the only issue yet to be patched, according to Trellix.
Other flaws include three high severity (all CVSS 7.5) issues comprising a pair of denial-of-service (DoS) bugs (CVE-2022-31480 and CVE-2022-31482) and unauthenticated user modification issue (CVE-2022-31484), and an unauthenticated information spoofing bug scoring CVSS 5.3 (CVE-2022-31485).
Carrier said it “disputes Trellix scoring of these vulnerabilities”, adding: “In keeping with our commitment to the cybersecurity of all products we sell regardless of manufacturer, we proactively filed all eight CVEs as a CVE numbering authority within the CVE program.”
Mitigations
The vulnerable models include LNL-X2210, LNL-X2220, LNL-X3300, LNL-X4420, LNL-4420, S2-LP-1501, S2-LP-4502, S2-LP-2500, and S2-LP-1502.
“HID Global [HID Mercury’s parent company] has confirmed that all OEM partners using Mercury boards are vulnerable to the issues on specific hardware controller platforms,” warned the researchers.
“This research is actionable for vendors and third parties that collaborate with companies like Carrier to install physical access systems. Customers using HID Global Mercury boards should contact their Mercury OEM partner for access to security patches prior to weaponization by malicious threat actors.”
A security advisory (PDF) published on June 2 by Carrier, which owns LenelS2, provides advice on updating firmware and, in the meantime, mitigating the risk by disabling web access.
‘Corrective actions’
The researchers said they “did not expect to find common, legacy software vulnerabilities in a relatively recent technology”, especially one approved for US federal government use. “It is crucial to independently evaluate the certifications of any product prior to adding it into an IT or OT environment,” they advised.
Carrier also told The Daily Swig: “The HID Mercury access control panel is designed and manufactured by third-party supplier HID Mercury and resold by a great number of other companies, including LenelS2, under their own and HID Mercury brand names. Therefore, the vulnerability is with HID Mercury, not with Carrier’s LenelS2.
“There were four zero-day vulnerabilities identified by Trellix. Earlier this year, these were proactively communicated to LenelS2 sales channels along with a temporary mitigation and plan for permanent fix. The other four vulnerabilities were patched and corrected before the Trellix assessment and are therefore not zero-day vulnerabilities.
“At this time LenelS2 is not aware of any exploitations of these identified vulnerabilities and has not been informed of any by HID Mercury. LenelS2 has taken precautions and corrective actions to inform and address with customers and partners to mitigate these vulnerabilities. LenelS2 has also reached out to Trellix who will be updating their materials with some clarifying points.”
This article was updated on June 14 with comments from Carrier. The Daily Swig also invited HID Global to comment but we have yet to hear back.
YOU MIGHT ALSO LIKE Separate Fujitsu cloud storage vulnerabilities could enable attackers to destroy virtual backups
Related news
Vendor addresses threat to integrity and availability of physical access systems
Vendor addresses threat to integrity and availability of physical access systems
Vendor addresses threat to integrity and availability of physical access systems
Vendor addresses threat to integrity and availability of physical access systems
Vendor addresses threat to integrity and availability of physical access systems
Vendor addresses threat to integrity and availability of physical access systems
Vendor addresses threat to integrity and availability of physical access systems
Vendor addresses threat to integrity and availability of physical access systems
By Deeba Ahmed In total, eight zero-day vulnerabilities have been detected in Carrier’s industrial control systems (ICS) which, if exploited, allow… This is a post from HackRead.com Read the original post: Vulnerabilities in Industrial Control Systems Lets Attackers Remotely Unlock Doors
By Deeba Ahmed In total, eight zero-day vulnerabilities have been detected in Carrier’s industrial control systems (ICS) which, if exploited, allow… This is a post from HackRead.com Read the original post: Vulnerabilities in Industrial Control Systems Lets Attackers Remotely Unlock Doors
By Deeba Ahmed In total, eight zero-day vulnerabilities have been detected in Carrier’s industrial control systems (ICS) which, if exploited, allow… This is a post from HackRead.com Read the original post: Vulnerabilities in Industrial Control Systems Lets Attackers Remotely Unlock Doors
By Deeba Ahmed In total, eight zero-day vulnerabilities have been detected in Carrier’s industrial control systems (ICS) which, if exploited, allow… This is a post from HackRead.com Read the original post: Vulnerabilities in Industrial Control Systems Lets Attackers Remotely Unlock Doors
By Deeba Ahmed In total, eight zero-day vulnerabilities have been detected in Carrier’s industrial control systems (ICS) which, if exploited, allow… This is a post from HackRead.com Read the original post: Vulnerabilities in Industrial Control Systems Lets Attackers Remotely Unlock Doors
By Deeba Ahmed In total, eight zero-day vulnerabilities have been detected in Carrier’s industrial control systems (ICS) which, if exploited, allow… This is a post from HackRead.com Read the original post: Vulnerabilities in Industrial Control Systems Lets Attackers Remotely Unlock Doors
By Deeba Ahmed In total, eight zero-day vulnerabilities have been detected in Carrier’s industrial control systems (ICS) which, if exploited, allow… This is a post from HackRead.com Read the original post: Vulnerabilities in Industrial Control Systems Lets Attackers Remotely Unlock Doors
By Deeba Ahmed In total, eight zero-day vulnerabilities have been detected in Carrier’s industrial control systems (ICS) which, if exploited, allow… This is a post from HackRead.com Read the original post: Vulnerabilities in Industrial Control Systems Lets Attackers Remotely Unlock Doors
As many as eight zero-day vulnerabilities have been disclosed in Carrier's LenelS2 HID Mercury access control system that's used widely in healthcare, education, transportation, and government facilities. "The vulnerabilities uncovered allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms and undermine logging and notification systems," Trellix security
As many as eight zero-day vulnerabilities have been disclosed in Carrier's LenelS2 HID Mercury access control system that's used widely in healthcare, education, transportation, and government facilities. "The vulnerabilities uncovered allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms and undermine logging and notification systems," Trellix security
As many as eight zero-day vulnerabilities have been disclosed in Carrier's LenelS2 HID Mercury access control system that's used widely in healthcare, education, transportation, and government facilities. "The vulnerabilities uncovered allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms and undermine logging and notification systems," Trellix security
As many as eight zero-day vulnerabilities have been disclosed in Carrier's LenelS2 HID Mercury access control system that's used widely in healthcare, education, transportation, and government facilities. "The vulnerabilities uncovered allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms and undermine logging and notification systems," Trellix security
As many as eight zero-day vulnerabilities have been disclosed in Carrier's LenelS2 HID Mercury access control system that's used widely in healthcare, education, transportation, and government facilities. "The vulnerabilities uncovered allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms and undermine logging and notification systems," Trellix security
As many as eight zero-day vulnerabilities have been disclosed in Carrier's LenelS2 HID Mercury access control system that's used widely in healthcare, education, transportation, and government facilities. "The vulnerabilities uncovered allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms and undermine logging and notification systems," Trellix security
As many as eight zero-day vulnerabilities have been disclosed in Carrier's LenelS2 HID Mercury access control system that's used widely in healthcare, education, transportation, and government facilities. "The vulnerabilities uncovered allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms and undermine logging and notification systems," Trellix security
As many as eight zero-day vulnerabilities have been disclosed in Carrier's LenelS2 HID Mercury access control system that's used widely in healthcare, education, transportation, and government facilities. "The vulnerabilities uncovered allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms and undermine logging and notification systems," Trellix security
An authenticated attacker can send a specially crafted route to the “edit_route.cgi” binary and have it execute shell commands. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.303 for the LP series and 1.297 for the EP series. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable.