An industrial control system (ICS) was found to contain several high-severity flaws, which would allow potential threat actors to not only gain access to the target endpoint (opens in a new tab), but also allow access physical to what would otherwise be prohibited. installations.
Trellix cybersecurity researchers recently investigated Carrier's LenelS2 access control panels, manufactured by HID Mercury and, according to the researchers, used by health, education, transportation, and government physical security organizations.
What they found was a total of eight vulnerabilities, one of which even has the maximum vulnerability score of 10.
attack the material
“For this project, we anticipated a high potential for vulnerability detection, knowing that the gatekeeper was running a Linux operating system and that root access to the card could be obtained by leveraging classic material hacking techniques,” they said. researchers in a blog post
“Although we thought that flaws could be found, we did not expect to find common legacy software vulnerabilities in relatively new technology.”
They first attacked the hardware, that is, the built-in ports (opens in a new tab), which allowed them to access the built-in debug ports. From there, they were able to access the system's firmware and binaries, allowing them to reverse engineer and debug the firmware live.
That's when researchers discovered six unauthenticated and two authenticated vulnerabilities, all of which could be exploited remotely.
"By chaining just two of the vulnerabilities, we were able to exploit the access control card and gain root-level privileges on the device remotely," the researchers added.
“With this level of access, we created a program that would run alongside legitimate software and control the doors. This allowed us to unlock any door and subvert any surveillance in the system.
Along with CVE-2022-31481, which has a severity score of 10, the researchers also discovered CVE-2022-31479 and CVE-2022-31483, with severity scores of 9,0 and 9,1, respectively.
Trellix, whose product has been approved by the US federal government, urged all customers to immediately apply vendor-provided patches.