{"id":36637,"date":"2022-06-10T06:02:00","date_gmt":"2022-06-10T06:02:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/archives\/36637"},"modified":"2022-06-10T06:02:00","modified_gmt":"2022-06-10T06:02:00","slug":"researchers-find-eight-cves-in-single-building-access-system","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=36637","title":{"rendered":"Researchers find eight CVEs in single building access system"},"content":{"rendered":"
<\/div>\n

A series of eight newly designated common vulnerabilities and exposures (CVEs) in a building access control system built by HID Mercury and sold by Carrier<\/a> \u2013 a global supplier of building systems for physical security, HVAC, and so on \u2013 could enable attackers to obtain full system control and remotely manipulate door locks, according to researchers at Trellix Threat Labs<\/a>.<\/p>\n

The Trellix vulnerability research team, which has a special interest in threats to operational technology<\/a> (OT) and industrial control systems<\/a> (ICS), conducted its research on Carrier\u2019s LenelS2 access control panels, which are used by organisations across multiple verticals, including healthcare, education, transport and the public sector. In the US, notably, this product is approved for use at federal government properties.<\/p>\n

Trellix\u2019s team said it chose to work with this specific access control panel because it is in widespread use across critical industries, has a strong market position, and has been certified as secure.<\/p>\n

\u201cFor this project, we anticipated a strong potential for finding vulnerabilities, knowing that the access controller was running a Linux operating system and root access to the board could be achieved by leveraging classic hardware hacking techniques,\u201d the team said in a disclosure blog<\/a>.<\/p>\n

\u201cWhile we believed flaws could be found, we did not expect to find common, legacy software vulnerabilities in a relatively recent technology.\u201d<\/p>\n

The team combined a number of known and novel techniques to hack the control panels using a phased approach \u2013 first using hardware hacking techniques to use on-board debugging ports to force the system into desired states that bypass security measures. This enabled them to achieve root access to the operating system, to pull its firmware and modify startup scripts to gain persistent access.<\/p>\n

With both firmware and system binaries to hand, the team then moved on to software accessible from the underlying network. Via a combination of reverse engineering and live debugging, they found six unauthenticated and two authenticated vulnerabilities that they could exploit remotely.<\/p>\n

From there, they were able to chain two of those vulnerabilities to exploit the access control board and gain remote root level privileges on the device. This allowed them to create and run their own program to unlock any controlled doors and subvert system monitoring.<\/p>\n

\u201cThe vulnerabilities uncovered allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms and undermine logging and notification systems,\u201d they said. \u201cThe highest CVE, an unauthenticated remote code execution<\/a> (RCE), received a base score of 10 CVSS, the maximum score for a vulnerability.\u201d<\/p>\n

The full list of vulnerabilities is as follows:<\/p>\n