Researchers find eight CVEs in single building access system

A series of eight newly designated common vulnerabilities and exposures (CVEs) in a building access control system built by HID Mercury and sold by Carrier – a global supplier of building systems for physical security, HVAC, and so on – could enable attackers to obtain full system control and remotely manipulate door locks, according to researchers at Trellix Threat Labs.

The Trellix vulnerability research team, which has a special interest in threats to operational technology (OT) and industrial control systems (ICS), conducted its research on Carrier’s LenelS2 access control panels, which are used by organisations across multiple verticals, including healthcare, education, transport and the public sector. In the US, notably, this product is approved for use at federal government properties.

Trellix’s team said it chose to work with this specific access control panel because it is in widespread use across critical industries, has a strong market position, and has been certified as secure.

“For this project, we anticipated a strong potential for finding vulnerabilities, knowing that the access controller was running a Linux operating system and root access to the board could be achieved by leveraging classic hardware hacking techniques,” the team said in a disclosure blog.

“While we believed flaws could be found, we did not expect to find common, legacy software vulnerabilities in a relatively recent technology.”

The team combined a number of known and novel techniques to hack the control panels using a phased approach – first using hardware hacking techniques to use on-board debugging ports to force the system into desired states that bypass security measures. This enabled them to achieve root access to the operating system, to pull its firmware and modify startup scripts to gain persistent access.

With both firmware and system binaries to hand, the team then moved on to software accessible from the underlying network. Via a combination of reverse engineering and live debugging, they found six unauthenticated and two authenticated vulnerabilities that they could exploit remotely.

From there, they were able to chain two of those vulnerabilities to exploit the access control board and gain remote root level privileges on the device. This allowed them to create and run their own program to unlock any controlled doors and subvert system monitoring.

“The vulnerabilities uncovered allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms and undermine logging and notification systems,” they said. “The highest CVE, an unauthenticated remote code execution (RCE), received a base score of 10 CVSS, the maximum score for a vulnerability.”

The full list of vulnerabilities is as follows:

• CVE-2022-31479, an unauthenticated command injection vulnerability.
• CVE-2022-31480, an unauthenticated denial-of-service vulnerability.
• CVE-2022-31481, the above-mentioned CVSS 10 rated RCE vulnerability.
• CVE-2022-31482, an unauthenticated denial-of-service vulnerability.
• CVE-2022-31483, an authenticated arbitrary file write vulnerability.
• CVE-2022-31484, an unauthenticated user modification vulnerability.
• CVE-2022-31485, an unauthenticated information spoofing vulnerability.
• CVE-2022-31486, an authenticated command injection vulnerability.

In response to the disclosure, Carrier has published an advisory with further specifics, mitigations and firmware updates, which users should apply immediately.  

Also, HID Global has since confirmed that all OEM partners using Mercury boards will be vulnerable to these issues on specific hardware controller platforms, and the research is also actionable for suppliers and third parties that work with Carrier to install access systems. End-users using these boards should contact their OEM partner for access to patches.

According to a 2021 IBM study, physical security breaches cost over $3.5m on average, and can take up to seven months to be identified. Also, because OT and IT systems are increasingly convergent, exploitation opportunities for threat actors become more frequent, and consequences more severe, particularly if a compromised system is operated by a critical national infrastructure (CNI) provider, such as a household utility or telecoms network.

“While the stakes are already high, they are still growing,” said Trellix’s team. “Supporting organisations to get ahead of threats to industrial systems is a national security imperative. Groups like CISA have launched priorities, goals and best practices to ensure the attack surface of ICS is defended from urgent threats and long-term risks.

“It is important for consumers to note that the vulnerabilities disclosed today may seem like they have little impact, but critical infrastructure attacks do impact our daily lives. Cyber attacks such as the infamous Colonial Pipeline serve as a reminder of this.”