Mediaboss Marketing

Eight zero-day vulnerabilities affecting a popular industrial control provided by Carrier have been identified and patched, according to security researchers from Trellix who discovered the issues.

The vulnerabilities affect the LenelS2 Mercury access control panel, which is used to grant physical access to facilities and integrate with more complex building automation deployments.

Carriers LenelS2 Mercury access control panels are widely used across hundreds of companies in the healthcare, education, and transportation industries as well as federal government agencies and organizations.

Trellix said they combined both known and novel techniques that allowed them to hack the system, achieve root access to the devices operating system and pull firmware for emulation and vulnerability discovery.

Carrier associate director of product security architecture Joshua Jessurun disputed the idea that these are zero-day vulnerabilities but told The Record that his team worked with Trellix on remediating the issues and released an advisory with detailed guidelines on what users need to do to address the vulnerabilities. Some of the issues need to be mitigated while most are addressed in firmware updates.

The Cybersecurity and Infrastructure Security Agency (CISA) released its own advisory on the issues which are tagged as CVE-2022-31479, CVE-2022-31480, CVE-2022-31481, CVE-2022-31482, CVE-2022-31483, CVE-2022-31484, CVE-2022-31485, CVE-2022-31486 with most carrying CVSS scores above 7.5.

CISA explained that exploitation of the bugs would give an attacker access to the device, allowing monitoring of all communications sent to and from the device, modification of onboard relays, changing of configuration files, device instability, and a denial-of-service condition.

Trellix security researchers Steve Povolny and Sam Quinn said they anticipated a strong potential for finding vulnerabilities, knowing that the access controller was running a Linux Operating System and root access to the board could be achieved by leveraging classic hardware hacking techniques.

While we believed flaws could be found, we did not expect to find common, legacy software vulnerabilities in a relatively recent technology. Furthermore, this product has been approved for U.S. Federal Government use following rigorous security vulnerability and interoperability testing, the two explained, noting that they took their findings to CISA after discovery.

Using the manufacturers built-in ports we were able to manipulate on-board components and interact with the device. Through reverse engineering and live debugging, we discovered six unauthenticated and two authenticated vulnerabilities exploitable remotely over the network.

They managed to bypass security measures by utilizing hardware hacking techniques to force the system into desired states.

The two explained that by chaining just two of the vulnerabilities together, they were able to exploit the access control board and gain root level privileges on the device remotely.

With this level of access, we created a program that would run alongside of the legitimate software and control the doors. This allowed us to unlock any door and subvert any system monitoring, they said.

Most significantly, the vulnerabilities uncovered allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms and undermine logging and notification systems.

They added that customers using HID Global Mercury boards should contact their Mercury OEM partner for access to security patches prior to weaponization by malicious threat actors, which could lead to both digital or physical breaches of sensitive information and protected locations.

The two noted that the tools were added to the Government Service Administration (GSA) Approved Product List (APL) and were approved for federal government use, giving the impression that the product was highly vetted.

It is crucial to independently evaluate the certifications of any product prior to adding it into an IT or OT environment, Povolny and Quinn said.

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

See the original post here:
8 zero-day vulnerabilities discovered in popular industrial control system from Carrier - The Record by Recorded Future