Up to eight zero-day vulnerabilities have been disclosed in Carrier’s LenelS2 HID Mercury access control system widely used in healthcare, education, transportation and government facilities.
Security researchers Steve Povolny and Sam Quinn’s Trellix The vulnerabilities discovered allow us to demonstrate the ability to remotely unlock and lock doors, destroy alarms, and disrupt logging systems, said in a report shared with The Hacker News. sign and notify.
In a nutshell, problems can be weaponized by a malicious actor to gain control of the entire system, including the ability to control door locks. One of the bugs (CVE-2022-31481) includes an unauthenticated remote execution vulnerability that is rated 10/10 in severity on the CVSS scoring system.
Other deficiencies can lead to command insertion (CVE-2022-31479, CVE-2022-31486), denial of service (CVE-2022-31480, CVE-2022-31482), user modification (CVE-2022). -31484), and information spoofing (CVE-2022-31485) as well as arbitrary file writing (CVE-2022-31483).
LenelS2 is used in environments to grant physical access to privileged facilities and to integrate with more complex building automation deployments. The following HID Mercury approach plates sold by LenelS2 are affected:
LNL-X2210 LNL-X2220 LNL-X3300 LNL-X4420 LNL-4420 S2-LP-1501 S2-LP-1502 S2-LP-2500 and S2-LP-4502
Trellix notes that by chaining two of the aforementioned weaknesses, it can remotely gain root-level privileges on a device and unlock and control doors, circumventing protections. effectively monitor the system.
Coinciding with public disclosure as an industrial control systems (ICS) advisor from the Agency Network security and American Infrastructure (CISA), urge users to update the access control panel to the latest firmware version (CARR-PSA-006-0622).
“Successful exploitation of these vulnerabilities could allow an attacker to gain access to the device, enable monitoring of all communications sent to and from the device, modify the built-in relay, configuration file changes, device instability, and denial of service,” the agency said in a warning.