An industrial control system (ICS) was found to be carrying multiple high-severity flaws, which would allow potential threat actors to not only access the target endpoint (opens in new tab) – but to enable physical access to otherwise off-limits premises.
Cybersecurity researchers from Trellix recently dug into Carrier’s LenelS2 access control panels, manufactured by HID Mercury and, as per the researchers, used by organizations across healthcare, education, transportation, and government physical security.
What they found was a total of eight vulnerabilities, one of which even has the maximum vulnerability score of 10.
Attacking the hardware
“For this project, we anticipated a strong potential for finding vulnerabilities, knowing that the access controller was running a Linux Operating System and root access to the board could be achieved by leveraging classic hardware hacking techniques,” the researchers said in a blog post.
“While we believed flaws could be found, we did not expect to find common, legacy software vulnerabilities in a relatively recent technology.”
They first attacked the hardware, namely the built-in ports (opens in new tab), which allowed them to access on-board debugging ports. From there, they managed to access the firmware and system binaries, which gave them the ability to reverse-engineer and live debug the firmware.
It’s then that the researchers found six unauthenticated and two authenticated vulnerabilities, all of which could be exploited remotely.
“By chaining just two of the vulnerabilities together, we were able to exploit the access control board and gain root level privileges on the device remotely,” the researchers further said.
“With this level of access, we created a program that would run alongside of the legitimate software and control the doors. This allowed us to unlock any door and subvert any system monitoring.”
Besides CVE-2022-31481, which has a severity score of 10, the researchers also discovered CVE-2022-31479, and CVE-2022-31483, with severity scores of 9.0 and 9.1, respectively.
Trellix, whose product was vetted by the US federal government, urged all customers to apply vendor-issued patches immediately.