8 zero-day vulnerabilities discovered in popular industrial control system from Carrier – The Record by Recorded Future
Eight zero-day vulnerabilities affecting a popular industrial control provided by Carrier have been identified and patched, according to security researchers from Trellix who discovered the issues.
The vulnerabilities affect the LenelS2 Mercury access control panel, which is used to grant physical access to facilities and integrate with more complex building automation deployments.
Carriers LenelS2 Mercury access control panels are widely used across hundreds of companies in the healthcare, education, and transportation industries as well as federal government agencies and organizations.
Trellix said they combined both known and novel techniques that allowed them to hack the system, achieve root access to the devices operating system and pull firmware for emulation and vulnerability discovery.
Carrier associate director of product security architecture Joshua Jessurun disputed the idea that these are zero-day vulnerabilities but told The Record that his team worked with Trellix on remediating the issues and released an advisory with detailed guidelines on what users need to do to address the vulnerabilities. Some of the issues need to be mitigated while most are addressed in firmware updates.
The Cybersecurity and Infrastructure Security Agency (CISA) released its own advisory on the issues which are tagged as CVE-2022-31479, CVE-2022-31480, CVE-2022-31481, CVE-2022-31482, CVE-2022-31483, CVE-2022-31484, CVE-2022-31485, CVE-2022-31486 with most carrying CVSS scores above 7.5.
CISA explained that exploitation of the bugs would give an attacker access to the device, allowing monitoring of all communications sent to and from the device, modification of onboard relays, changing of configuration files, device instability, and a denial-of-service condition.
Trellix security researchers Steve Povolny and Sam Quinn said they anticipated a strong potential for finding vulnerabilities, knowing that the access controller was running a Linux Operating System and root access to the board could be achieved by leveraging classic hardware hacking techniques.
While we believed flaws could be found, we did not expect to find common, legacy software vulnerabilities in a relatively recent technology. Furthermore, this product has been approved for U.S. Federal Government use following rigorous security vulnerability and interoperability testing, the two explained, noting that they took their findings to CISA after discovery.
Using the manufacturers built-in ports we were able to manipulate on-board components and interact with the device. Through reverse engineering and live debugging, we discovered six unauthenticated and two authenticated vulnerabilities exploitable remotely over the network.
They managed to bypass security measures by utilizing hardware hacking techniques to force the system into desired states.
The two explained that by chaining just two of the vulnerabilities together, they were able to exploit the access control board and gain root level privileges on the device remotely.
With this level of access, we created a program that would run alongside of the legitimate software and control the doors. This allowed us to unlock any door and subvert any system monitoring, they said.
Most significantly, the vulnerabilities uncovered allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms and undermine logging and notification systems.
They added that customers using HID Global Mercury boards should contact their Mercury OEM partner for access to security patches prior to weaponization by malicious threat actors, which could lead to both digital or physical breaches of sensitive information and protected locations.
The two noted that the tools were added to the Government Service Administration (GSA) Approved Product List (APL) and were approved for federal government use, giving the impression that the product was highly vetted.
It is crucial to independently evaluate the certifications of any product prior to adding it into an IT or OT environment, Povolny and Quinn said.
Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.
See the original post here:
8 zero-day vulnerabilities discovered in popular industrial control system from Carrier - The Record by Recorded Future
- Robert W. McChesney, who warned of corporate media control, dies at 72 - Editor and Publisher - April 10th, 2025 [April 10th, 2025]
- FCC Commissioner Anna Gomez Sounds Alarm Over Trump Administrations Absolute Pattern of Censorship and Control - Variety - April 10th, 2025 [April 10th, 2025]
- 'Attack lined up': Grenon says he offered compromise but believes NZME board has 'no interest' - NZ Herald - April 8th, 2025 [April 8th, 2025]
- Russia seeks full control of partially occupied Ukrainian regions in talks with US, media reports - Kyiv Independent - March 26th, 2025 [March 26th, 2025]
- Navigating the digital world without letting it control you. - Psychology Today - March 25th, 2025 [March 25th, 2025]
- ANZ Digital Padlock to give customers real-time control in fight against fraud and scams - ANZ - March 25th, 2025 [March 25th, 2025]
- Trump Handpicking Reporters and Bezos Partisan Shift: A Trend in Media Control - MSN - March 13th, 2025 [March 13th, 2025]
- Spains New Media Law Sparks Fears of Censorship and State Control - The European Conservative - March 5th, 2025 [March 5th, 2025]
- We dont feel we have control: How social media algorithms have warped our attention spans - MSNBC - March 3rd, 2025 [March 3rd, 2025]
- White House takes control of the press pool covering Trump - Reuters - March 3rd, 2025 [March 3rd, 2025]
- White House takes control of the press pool covering Trump - Reuters - March 3rd, 2025 [March 3rd, 2025]
- We dont feel we have control: How social media algorithms have warped our attention spans - MSNBC - March 3rd, 2025 [March 3rd, 2025]
- Reuters and Associated Press among outlets barred from Trumps first cabinet meeting - Semafor - March 3rd, 2025 [March 3rd, 2025]
- Reuters and Associated Press among outlets barred from Trumps first cabinet meeting - Semafor - March 3rd, 2025 [March 3rd, 2025]
- White House seizes control of press pool, will decide which outlets cover events with president - POLITICO - March 3rd, 2025 [March 3rd, 2025]
- White House seizes control of press pool, will decide which outlets cover events with president - POLITICO - March 3rd, 2025 [March 3rd, 2025]
- Epson And Show Sage At USITT 2025 Showcasing New 4K Projection With New Media Server And Control Tech - Live Design - March 3rd, 2025 [March 3rd, 2025]
- Epson And Show Sage At USITT 2025 Showcasing New 4K Projection With New Media Server And Control Tech - Live Design - March 3rd, 2025 [March 3rd, 2025]
- White House takes control of picking media who cover Trump - El Paso Inc. - March 3rd, 2025 [March 3rd, 2025]
- White House takes control of picking media who cover Trump - El Paso Inc. - March 3rd, 2025 [March 3rd, 2025]
- Trump administration to take control of media access at White House - New Straits Times - March 3rd, 2025 [March 3rd, 2025]
- USAID spent millions of dollars to promote media control through Internews which is linked to India based Factshala - Organiser - February 16th, 2025 [February 16th, 2025]
- Inaccurate reporting on foot and mouth disease controls - Defra in the media - February 16th, 2025 [February 16th, 2025]
- Russian forces take control of two settlements in eastern Ukraine, Media - APA - February 16th, 2025 [February 16th, 2025]
- TikTok's woes in the United States highlight the 'Godfather' battle to control social media - ABC News - February 5th, 2025 [February 5th, 2025]
- Jesse Watters: Air traffic control was "unable to meet their own DEI quotas, and thats what is leading to staffing shortages" - Media... - February 5th, 2025 [February 5th, 2025]
- Hive to launch Beeblade Nexus media control engine - Installation and AV Technology Europe - January 27th, 2025 [January 27th, 2025]
- Pakistan introduces law allowing government to block platforms, imprison users for spreading 'disinformat - The Times of India - January 27th, 2025 [January 27th, 2025]
- This little media control button is the gadget I can't live without - MSN - January 22nd, 2025 [January 22nd, 2025]
- Effective role of media is a must for tobacco control, experts say - bdnews24.com - January 22nd, 2025 [January 22nd, 2025]
- Effective media role vital for tobacco control: Experts - United News of Bangladesh - UNB - January 22nd, 2025 [January 22nd, 2025]
- How Government & Legacy Media CONTROL What We Think - iHeartRadio - January 9th, 2025 [January 9th, 2025]
- SNL kinda banned this 1998 'Schoolhouse Rock' parody warning about corporate media control - Upworthy - December 30th, 2024 [December 30th, 2024]
- Palestinian Authority: Jews Lied About Oct. 7 Because They Control the Media - Algemeiner - December 30th, 2024 [December 30th, 2024]
- NDCs control of major media houses gave them edge in 2024 polls Bawumia - Adomonline - December 22nd, 2024 [December 22nd, 2024]
- Hallmark Insights to Tackle the Debate on Social Media Management and Control in Organizations - PC Tech Magazine - December 14th, 2024 [December 14th, 2024]
- Rupert Murdochs bid to change familys trust over Fox News media empire control is rejected - Washington Times - December 10th, 2024 [December 10th, 2024]
- Rupert Murdoch loses battle to control succession to his media empire - The Guardian - December 10th, 2024 [December 10th, 2024]
- Journalist Abducted in Guinea Amid Military's Increasing Control Over Media - Oneindia - December 5th, 2024 [December 5th, 2024]
- Aleppo and Idlib Under Opposition Control, With Eyes on Hama - The Media Line - December 5th, 2024 [December 5th, 2024]
- Remilekun Dosumu takes the helm as Head of Media Buying & Control at PHD Nigeria - Marketing Edge - December 5th, 2024 [December 5th, 2024]
- Media reports US Republicans regaining control of House of Representatives - MENAFN.COM - November 14th, 2024 [November 14th, 2024]
- Social media misinformation is scaring women about birth control - STAT - November 5th, 2024 [November 5th, 2024]
- The (Lack Of) Science Behind Social Media Claims Of Weather Control - Forbes - October 14th, 2024 [October 14th, 2024]
- No, the government is not controlling the weather. "It's so stupid, it's got to stop," Biden says - CBS News - October 14th, 2024 [October 14th, 2024]
- Column: Media tries to control the narrative | Aiken Standard - The Post and Courier - October 12th, 2024 [October 12th, 2024]
- DoubleVerify To Introduce Pre-Screen Content Control On Meta, Strengthening Brand Safety, Suitability, Media Performance - Business - October 12th, 2024 [October 12th, 2024]
- Android Auto 13.0: Paving the way for enhanced media control - MSN - October 11th, 2024 [October 11th, 2024]
- Unveiling Android Auto 13.0: Paving the way for seamless media control - MSN - October 11th, 2024 [October 11th, 2024]
- How Trump consolidated control over his party and right-wing media in a cloud of confusion - CNN - October 4th, 2024 [October 4th, 2024]
- Israel aims to control the social media sphere by any means necessary, even through abduction - Middle East Monitor - October 3rd, 2024 [October 3rd, 2024]
- Media Throw Everything But the Facts Against Harriss Price Control Proposal - FAIR - September 28th, 2024 [September 28th, 2024]
- Control of Murdoch media empire at stake as hearing to proceed with mogul and children - ABC News - September 19th, 2024 [September 19th, 2024]
- Closed-door hearing in Nevada could decide control of the Murdoch media empire - PBS NewsHour - September 19th, 2024 [September 19th, 2024]
- A Second Trump Admin Means Giving Social Media Control Of The Presidency - Daily Kos - September 19th, 2024 [September 19th, 2024]
- Control of Murdoch media empire at stake as hearing to proceed with mogul and children - Beaumont Enterprise - September 19th, 2024 [September 19th, 2024]
- Control of the Murdoch media empire could be at stake - 9News - September 19th, 2024 [September 19th, 2024]
- TeleFico: How the Prime Minister Wants to Control the Media in Slovakia - The Journal - September 19th, 2024 [September 19th, 2024]
- The Growing Threat of Big Pharma, Big Tech, and Media Control Over America: A Warning Echoed from Eisenhower to Zuckerberg - MSN - September 6th, 2024 [September 6th, 2024]
- Pest Control Advisors Need to be on Social Media - AGInfo Ag Information Network - August 22nd, 2024 [August 22nd, 2024]
- Should parents control their teenagers' use of social media? - The National - August 22nd, 2024 [August 22nd, 2024]
- Parliamentary committee holds hearing on alleged gov't control of media - MSN - August 22nd, 2024 [August 22nd, 2024]
- NBC News host presses Gov. Whitmer on Harris' price control plan: Is it 'any more than a gimmick?' - Fox News - August 22nd, 2024 [August 22nd, 2024]
- "The situation is under control", as reported by the Russian media about the Ukrainian incursion - Vijesti.me - August 22nd, 2024 [August 22nd, 2024]
- The 6 Companies That Control The Media - MSN - August 16th, 2024 [August 16th, 2024]
- Hate speech and misinformation on social media are out of control heres what we should do about it - TNW - August 11th, 2024 [August 11th, 2024]
- Rupert Murdoch Wants Lachlan To Inherit Control Of Media Empire, Sparking Legal Battle With Other Children Report - Deadline - July 28th, 2024 [July 28th, 2024]
- Media has normalised Trump's bullying it's time to take control - Independent Australia - July 28th, 2024 [July 28th, 2024]
- Russian authorities to set control on social media accounts with over 1,000 followers - NEWS.am - July 15th, 2024 [July 15th, 2024]
- Lawrence O'Donnell Torches Media Over 'Out Of Control' White House Briefing - HuffPost - July 14th, 2024 [July 14th, 2024]
- Facebook and Instagram Update Ban List to Include Posts on Zionists Who Control the World - The Jewish Press - JewishPress.com - July 10th, 2024 [July 10th, 2024]
- HIV/AIDS in News: Time to Bridge the Gap between Media, HIV +ve Patient and State AIDS Control Society - Tripuratimes - July 10th, 2024 [July 10th, 2024]
- Social media is talking to teens about birth control, but do they know what they're talking about? - The Philadelphia Inquirer - June 30th, 2024 [June 30th, 2024]
- Smart Monkeys | partners with Hive Media Control - blooloop - June 16th, 2024 [June 16th, 2024]
- Slovakia's Fico plots to dismantle the free press - POLITICO Europe - May 15th, 2024 [May 15th, 2024]
- Liberia: Lack of Mass Media Control Denting Public Confidence in the Justice System - AllAfrica - Top Africa News - May 15th, 2024 [May 15th, 2024]
- Why Don't Media Care About The Man Who Killed Four Cops? - The Federalist - May 3rd, 2024 [May 3rd, 2024]
- Pedro Snchez threatens curbs on media amid corruption claims against wife - The Times - May 3rd, 2024 [May 3rd, 2024]
- This secret Android 15 feature could finally give you more media control with a Wear OS smartwatch - TechRadar - May 1st, 2024 [May 1st, 2024]
- New features in Microsoft Edge want to make you use the taskbar media controls more often - XDA Developers - May 1st, 2024 [May 1st, 2024]