An industrial control system (ICS) was found to carry several high-severity failures, which would allow potential threat actors to not only access the target endpoint (opens in new tab) – but to allow physical access to off-limits facilities.
Cybersecurity researchers at Trellix recently investigated Carrier’s LenelS2 access control panels, manufactured by HID Mercury and, according to the researchers, used by government health, education, transportation and physical security organizations.
What they found was a total of eight vulnerabilities, one of which has a maximum vulnerability score of 10.
attacking the hardware
“For this project, we anticipate strong potential for finding vulnerabilities, knowing that the access controller was running a Linux OS and root access to the board could be achieved by leveraging classic hardware hacking techniques,” the researchers said in a post. in the blog.
“While we believed that flaws could be found, we did not expect to find common legacy software vulnerabilities in relatively recent technology.”
They attacked the hardware first, i.e. the internal ports (opens in new tab), which allowed them to access the built-in debug ports. From there, they were able to access the firmware and system binaries, which gave them the ability to reverse engineer and debug the firmware live.
That’s when the researchers found six unauthenticated and two authenticated vulnerabilities, all of which could be exploited remotely.
“By chaining together just two of the vulnerabilities, we were able to exploit the access control card and gain root-level privileges on the device remotely,” the researchers said.
“With that level of access, we created a program that would run alongside legitimate software and control the ports. This allowed us to unlock any doors and subvert any system monitoring.”
In addition to CVE-2022-31481, which has a severity score of 10, the researchers also discovered CVE-2022-31479 and CVE-2022-31483, with severity scores of 9.0 and 9.1, respectively.
Trellix, whose product has been approved by the US federal government, has asked all customers to immediately apply vendor-issued patches.