Carrier's LenelS2 HID Mercury access control system, which is widely used in healthcare, academic, transport, and federal buildings have eight zero-day vulnerabilities.
In a report shared by The Hacker News, Trellix security experts Steve Povolny and Sam Quinn wrote, "The vulnerabilities found to enable us to demonstrate the ability to remotely open and lock doors, manipulate alarms, and degrade logging and notification systems."
The investigation begins at the hardware level; Researchers were able to change onboard components and connect with the device by using the manufacturer's built-in ports.
They were able to gain root access to the device's operating system and extract its firmware for virtualization and vulnerability or other exploits using a combination of known and unique techniques. One of the issues (CVE-2022-31481) contains an unauthorized remote execution weakness with a CVSS severity rating of 10 out of 10. The following is the detailed list of flaws:
- Unauthenticated command injection vulnerability CVE-2022-31479.
- Unauthenticated denial-of-service vulnerability CVE-2022-31480.
- CVSS 10 rated RCE vulnerability is CVE-2022-31481.
- Unauthenticated denial-of-service vulnerability CVE-2022-31482.
- An authenticated arbitrary file write vulnerability, CVE-2022-31483.
- Unauthenticated user modification vulnerability CVE-2022-31484.
- Unauthenticated information spoofing vulnerability CVE-2022-31485.
- An authenticated command injection vulnerability, CVE-2022-31486
Carrier has issued an alert in response to the revelation, which includes further details, mitigations, and firmware patches that consumers should apply right now.
In locations where physical access to privileged facilities is required, LenelS2 is used to connect with more complicated building automation implementations. The following LenelS2 HID Mercury access or unauthorized access panels are affected:
- LNL-X2210
- LNL-X2220
- LNL-X3300
- LNL-X4420
- LNL-4420
- S2-LP-1501
- S2-LP-1502
- S2-LP-2500, as well as
- S2-LP-4502
According to a study conducted by IBM in 2021, the average cost of a physical data breach is 3.54 million dollars, with a detection time of 223 days.
For companies that rely on access control systems to protect the security and safety of its facilities, the stakes are high. "ICS security presents unique issues," according to the US Cybersecurity and Infrastructure Security Agency (CISA).
The increasing convergence of information technology (IT) and operational technology (OT) presents chances for exploitation that could result in catastrophic repercussions, including loss of life, economic damage, and disruption of society's National Critical Functions (NCFs)."
Consumers should be aware that while the vulnerabilities revealed recently may appear to have minimal impact created by hackers, critical infrastructure assaults have a significant impact on our everyday lives.