As many as four zero-day security vulnerabilities have been disclosed in the HID Mercury access controller system that's used widely in healthcare, education, transportation, and government facilities.
"The vulnerabilities uncovered allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms and undermine logging and notification systems," Trellix security researchers Steve Povolny and Sam Quinn said in a report shared with The Hacker News.
The issues, in a nutshell, could be weaponized by a malicious actor to gain full system control, including the ability to manipulate door locks. One of the bugs (CVE-2022-31481) includes an unauthenticated remote execution flaw that's rated 10 out of 10 for severity on the CVSS scoring system.
HID Mercury controllers, which feature highly flexible configurations, are utilized by over 20 OEM (original equipment manufacturer) partners to design and deploy a broad range of access control systems, with Carrier LenelS2 being one among the vendors.
Other shortcomings could lead to command injection (CVE-2022-31479, CVE-2022-31486), denial-of-service (CVE-2022-31480, CVE-2022-31482), user modification (CVE-2022-31484), and information spoofing (CVE-2022-31485) as well as achieve arbitrary file write (CVE-2022-31483).
LenelS2 is employed in environments to grant physical access to privileged facilities and integrate with more complex building automation deployments. The following HID Mercury access panels sold by LenelS2 are impacted -
- S2-LP-2500, and
Trellix noted that by chaining two of the aforementioned weaknesses, it was able to gain root-level privileges on the device remotely and unlock and control the doors, effectively subverting the system monitoring protections.
Coinciding with the public disclosure is an industrial control systems (ICS) advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), urging users to update the access panels to the latest firmware version (CARR-PSA-006-0622).
"Successful exploitation of these vulnerabilities could allow an attacker access to the device, allowing monitoring of all communications sent to and from the device, modification of onboard relays, changing of configuration files, device instability, and a denial-of-service condition," the agency said in an alert.
Update: The story has been reflected to state that the flaws originate in access control panels manufactured by a third-party supplier named HID Mercury and not from Carrier LenelS2 as previously mentioned. Additionally, the number of zero-day flaws identified by Trellix has been revised from eight to four.
"The other four vulnerabilities were patched and corrected before the Trellix assessment and are therefore, not zero-day vulnerabilities," Carrier told The Hacker News in a statement.