Manufacturer addresses threat to integrity and availability of products sold to more than 20 OEM vendors
UPDATED Attackers could remotely unlock doors in critical infrastructure facilities by exploiting recently patched vulnerabilities in HID Mercury access control panels, security researchers have claimed.
Sam Quinn and Steve Povolny from Trellix Threat Labs uncovered eight security flaws in the industrial control system (ICS) technology that “allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms, and undermine logging and notification systems”, they said in a technical write-up.
In a security advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) said that successful exploitation could allow “monitoring of all communications sent to and from the device, modification of onboard relays, changing of configuration files, device instability, and a denial-of-service condition”.
However, Carrier, which sells the HID Mercury panels tested by Trellix under its LenelS2 brand, told The Daily Swig that Trellix’s “method of scoring (CVSS) is subjective and does not capture or reflect actual operational risk based on the manufacturer’s recommended installation requirements.”
The findings emerged from a penetration test in which Quinn and Povolny combined known and novel hardware hacking techniques to manipulate on-board components of the LenelS2-branded products, and achieved root access to the device’s Linux operating system.
Then the duo discovered the remotely exploitable flaws and created a two-bug exploit to gain root-level privileges. This enabled them to create a program that could run alongside the legitimate firmware and unlock any door and subvert system monitoring.
The researchers captured the exploit in the video below:
The vulnerable panels are used in government, healthcare, transportation, and education settings, among other sectors, and can be integrated with complex building automation deployments.
“All Mercury OEM [original equipment manufacturer] vendors are or were vulnerable to these issues if not updated to the patched firmware versions that were recently released,” Steve Povolny, head of advanced threat research at Trellix, told The Daily Swig. “This includes at least 20+ OEM partners installed globally, and indicates an extremely large installation base.”
The researchers recommend that “customers using HID Global Mercury boards should contact their Mercury OEM partner for access to security patches prior to weaponization by malicious threat actors”.
A security advisory (PDF) published on June 2 by Carrier provides advice on updating firmware for vulnerable LenelS2 models and, in the meantime, mitigating the risk by disabling web access.
The flaws include a critical unauthenticated buffer overflow leading to remote code execution (RCE) that earned a maximum severity score of CVSS 10.0 (CVE-2022-31481).
The second most severe issue, a critical command injection bug, notched a CVSS of 9.6 (CVE-2022-31479).
These two were chained to achieve RCE with arbitrary reboot. “However, it is highly likely that with some effort, CVE-2022-31481 could be used standalone to achieve the similar effect, using techniques such as return-oriented programming (ROP) to get code execution,” said Povolny.
The exploit might provide a path to pivoting to other systems too, he continued. “Given arbitrary code execution as root, it would make this process easier,” he said. “Malicious actors must have access to the network the devices are installed on in order to exploit them. In certain installations of these access controllers, that could prove more difficult, and in others it may be trivial. The best practice to secure networks would be to isolate them from other devices or systems that could weaken the security posture through exploitation.”
The other flaws included a critical arbitrary file write issue (CVE-2022-31483) and a high severity authenticated command injection (CVE-2022-31486), which was the only issue yet to be patched, according to Trellix. The cybersecurity firm believes a fix is days away from landing.
The bug batch is completed by three high severity issues comprising a pair of denial-of-service (DoS) bugs (CVE-2022-31480 and CVE-2022-31482) and unauthenticated user modification issue (CVE-2022-31484), plus a medium severity unauthenticated information spoofing bug (CVE-2022-31485).
Carrier said it “disputes Trellix scoring of these vulnerabilities”, adding: “In keeping with our commitment to the cybersecurity of all products we sell regardless of manufacturer, we proactively filed all eight CVEs as a CVE numbering authority within the CVE program.”
The researchers said they “did not expect to find common, legacy software vulnerabilities in a relatively recent technology”, especially one approved for US federal government use. “It is crucial to independently evaluate the certifications of any product prior to adding it into an IT or OT environment,” they advised.
Carrier also told The Daily Swig: “The HID Mercury access control panel is designed and manufactured by third-party supplier HID Mercury and resold by a great number of other companies, including LenelS2, under their own and HID Mercury brand names. Therefore, the vulnerability is with HID Mercury, not with Carrier’s LenelS2.
“There were four zero-day vulnerabilities identified by Trellix. Earlier this year, these were proactively communicated to LenelS2 sales channels along with a temporary mitigation and plan for permanent fix. The other four vulnerabilities were patched and corrected before the Trellix assessment and are therefore not zero-day vulnerabilities.
“At this time LenelS2 is not aware of any exploitations of these identified vulnerabilities and has not been informed of any by HID Mercury. LenelS2 has taken precautions and corrective actions to inform and address with customers and partners to mitigate these vulnerabilities. LenelS2 has also reached out to Trellix who will be updating their materials with some clarifying points.”
This article was updated on June 14 with comments from Carrier, and on June 15 with additional comments from Steve Povolny from Trellix. The Daily Swig also invited HID Global to comment but we have yet to hear back.