fbpx
Connect with us

Tech

Researchers find eight CVEs in single building access system

Published

on

Researchers find eight CVEs in single building access system

A series of eight vulnerabilities in Carrier LenelS2 building access panels could enable malicious actors to obtain physical access to their targets

Alex Scroxton

By

Published: 10 Jun 2022 11:02

A series of eight newly designated common vulnerabilities and exposures (CVEs) in a building access control system built by HID Mercury and sold by Carrier – a global supplier of building systems for physical security, HVAC, and so on – could enable attackers to obtain full system control and remotely manipulate door locks, according to researchers at Trellix Threat Labs.

The Trellix vulnerability research team, which has a special interest in threats to operational technology (OT) and industrial control systems (ICS), conducted its research on Carrier’s LenelS2 access control panels, which are used by organisations across multiple verticals, including healthcare, education, transport and the public sector. In the US, notably, this product is approved for use at federal government properties.

Trellix’s team said it chose to work with this specific access control panel because it is in widespread use across critical industries, has a strong market position, and has been certified as secure.

“For this project, we anticipated a strong potential for finding vulnerabilities, knowing that the access controller was running a Linux operating system and root access to the board could be achieved by leveraging classic hardware hacking techniques,” the team said in a disclosure blog.

“While we believed flaws could be found, we did not expect to find common, legacy software vulnerabilities in a relatively recent technology.”

The team combined a number of known and novel techniques to hack the control panels using a phased approach – first using hardware hacking techniques to use on-board debugging ports to force the system into desired states that bypass security measures. This enabled them to achieve root access to the operating system, to pull its firmware and modify startup scripts to gain persistent access.

With both firmware and system binaries to hand, the team then moved on to software accessible from the underlying network. Via a combination of reverse engineering and live debugging, they found six unauthenticated and two authenticated vulnerabilities that they could exploit remotely.

From there, they were able to chain two of those vulnerabilities to exploit the access control board and gain remote root level privileges on the device. This allowed them to create and run their own program to unlock any controlled doors and subvert system monitoring.

“The vulnerabilities uncovered allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms and undermine logging and notification systems,” they said. “The highest CVE, an unauthenticated remote code execution (RCE), received a base score of 10 CVSS, the maximum score for a vulnerability.”

The full list of vulnerabilities is as follows:

  • CVE-2022-31479, an unauthenticated command injection vulnerability.
  • CVE-2022-31480, an unauthenticated denial-of-service vulnerability.
  • CVE-2022-31481, the above-mentioned CVSS 10 rated RCE vulnerability.
  • CVE-2022-31482, an unauthenticated denial-of-service vulnerability.
  • CVE-2022-31483, an authenticated arbitrary file write vulnerability.
  • CVE-2022-31484, an unauthenticated user modification vulnerability.
  • CVE-2022-31485, an unauthenticated information spoofing vulnerability.
  • CVE-2022-31486, an authenticated command injection vulnerability.

In response to the disclosure, Carrier has published an advisory with further specifics, mitigations and firmware updates, which users should apply immediately.  

Also, HID Global has since confirmed that all OEM partners using Mercury boards will be vulnerable to these issues on specific hardware controller platforms, and the research is also actionable for suppliers and third parties that work with Carrier to install access systems. End-users using these boards should contact their OEM partner for access to patches.

According to a 2021 IBM study, physical security breaches cost over $3.5m on average, and can take up to seven months to be identified. Also, because OT and IT systems are increasingly convergent, exploitation opportunities for threat actors become more frequent, and consequences more severe, particularly if a compromised system is operated by a critical national infrastructure (CNI) provider, such as a household utility or telecoms network.

“While the stakes are already high, they are still growing,” said Trellix’s team. “Supporting organisations to get ahead of threats to industrial systems is a national security imperative. Groups like CISA have launched priorities, goals and best practices to ensure the attack surface of ICS is defended from urgent threats and long-term risks.

“It is important for consumers to note that the vulnerabilities disclosed today may seem like they have little impact, but critical infrastructure attacks do impact our daily lives. Cyber attacks such as the infamous Colonial Pipeline serve as a reminder of this.”





Read more on Endpoint security

Go to Source

Click to comment

Leave a Reply

Tech

Nvidia GeForce RTX 3090 vs. AMD Radeon 6950 XT: Which GPU should you buy?

Published

on

Nvidia GeForce RTX 3090 vs. AMD Radeon 6950 XT: Which GPU should you buy?

When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.

Go to Source

Continue Reading

Tech

Receive near instant feedback on logos, images, text, and more with Helpfull

Published

on

Receive near instant feedback on logos, images, text, and more with Helpfull

Feedback software

StackCommerce

When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.

Go to Source

Continue Reading

Tech

Confessions of an in-house creative strategist on feeling unfulfilled, difficulty in returning to agencies as the ‘pay is less’

Published

on

Confessions of an in-house creative strategist on feeling unfulfilled, difficulty in returning to agencies as the ‘pay is less’

The war for talent between agencies and brands’ in-house agencies has cooled. Even so, for adland talent who’ve made the move in-house, some say they are looking to go back to agencies after feeling creatively stifled. It’s not the easiest strategy to execute.

In the latest edition of our Confessions series, in which we trade anonymity for candor, we hear from an in-house creative strategist about their experience, why they want to go agency-side now and how pay is keeping them from doing so.

This conversation has been lightly edited and condensed for clarity.

What’s the in-house experience like?

I’ve been in-house for about a year. It’s very one-sided. The difference between agency and in-house is that with agencies, there [are] a lot of opinions and ideas [outside of the brand message] that go into creative. With in-house, you have the brand’s message and all creative is reflective of the brand’s message. With in-house, regardless of trends in the market, it’s a lot of ‘we’re going to stick to this one way of doing things’ mentality. It’s a lot of opinions about what the creative should be based on what it has been before. It makes it hard to introduce something fresh. It makes it hard to hire or be a new hire. If you’re not actually going to adhere to advice from new hires, what’s the point in getting new people? Are you just bringing people on board for a second opinion? That’s what it feels like.

Sounds like you don’t have the creative control you desire.

It feels like more of a second opinion role than to get something to manage or control. [Where I am now] it feels like we’re leaning more into what [our strategy] used to be than thinking about what we could be. That’s a big issue with in-house. With agencies, like I said, there’s a lot more trial and error. With in-house, a lot more of this is what we’re doing, these are the funds we have and this is what has worked in the past. In reality, a lot of what worked in the past, when you put it back into the market, it’s not going to work anymore. 

Why do you think it’s more challenging to get to a new creative strategy in-house?

With agencies, you have multiple perspectives. You’re working on multiple brands. You can see something working for another brand and talk to your client about it. You can pivot. You have the background and perspective to [pitch that pivot]. When you’re in-house, you only have the knowledge of your brand and what’s working for you. 

Are you looking to go back to agencies? 

Personally, I am looking to go from in-house to agency but I get paid a lot more being in-house than what I’ve been offered at agencies. I’ve been in interviews with agencies where they’re telling me that I’ll be learning [programs I already know how to use] so that’s why the pay is less than what it should be. There are agencies I’ve interviewed with who ask me to move to New York for less than what I make now and make that work. [With inflation,] there’s no reason why salaries aren’t also increasing. 

So you’d like to make the jump creatively but it’s hard when the compensation isn’t up to what in-house offers? 

It’s hard. I’ve been lowballed, too. They’ll post a salary for a position, go through the interviews and then offer less than what’s listed on the salary description. What was the point of putting the salary range there? I feel like people are putting salary ranges on job descriptions just to attract people with the experience that they are looking for but by the time they make the offer, it’s not what they said it would be. It’s offensive.

https://digiday.com/?p=452660

Go to Source

Continue Reading
Home | Latest News | Tech | Researchers find eight CVEs in single building access system
a

Market

Trending