Security researchers have revealed eight new zero-day vulnerabilities in an industrial control system (ICS) that could enable attackers to physically access nominally secure facilities.
The bugs were discovered in Carrier’s LenelS2 access control panels, manufactured by HID Mercury, which the vendor markets to small businesses up to large enterprises. They’re said to be popular across healthcare, education, transportation and government sectors.
A team at Trellix found the vulnerabilities despite the product having been approved for US federal government use following supposedly rigorous vulnerability and interoperability testing.
“For this project, we anticipated a strong potential for finding vulnerabilities, knowing that the access controller was running a Linux Operating System and root access to the board could be achieved by leveraging classic hardware hacking techniques,” the security vendor explained.
“While we believed flaws could be found, we did not expect to find common, legacy software vulnerabilities in a relatively recent technology.”
The researchers took a phased approach, starting with hardware hacking techniques which allowed them to access on-board debugging ports, force the system into the desired state and ultimately achieve permanent firmware access.
With access to firmware and system binaries, they then proceeded through reverse engineering and live debugging to find six unauthenticated and two authenticated vulnerabilities that could be remotely exploited.
“By chaining just two of the vulnerabilities together, we were able to exploit the access control board and gain root level privileges on the device remotely,” Trellix continued.
“With this level of access, we created a program that would run alongside of the legitimate software and control the doors. This allowed us to unlock any door and subvert any system monitoring.”
The most serious vulnerability, unauthenticated remote code execution bug, CVE-2022-31481, gained a maximum CVSS score of 10.0. High scores were also applied to unauthenticated command injection flaw CVE-2022-31479 (9.0) and authenticated arbitrary file write bug CVE-2022-31483 (9.1).
Apart from locking and unlocking doors ‘secured’ by the product, the vulnerabilities could enable attackers to subvert alarms and undermine logging and notification systems.
Trellix urged users to apply vendor-issued patches and to always independently evaluate the certifications handed to any third-party IT or OT product before deployment.