LenelS2 access control vulnerabilities leave door open to lock manipulation

Vendor addresses threat to integrity and availability of physical access systems

Attackers could remotely unlock doors in critical infrastructure facilities by exploiting recently patched vulnerabilities in LenelS2 access control panels, security researchers have revealed.

Sam Quinn and Steve Povolny from Trellix Threat Labs uncovered eight security flaws in the industrial control system (ICS) access control technology that “allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms, and undermine logging and notification systems”, they said in a technical write-up.

In a security advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) said that successful exploitation could allow “monitoring of all communications sent to and from the device, modification of onboard relays, changing of configuration files, device instability, and a denial-of-service condition”.

Chain reaction

The findings emerged from a penetration test in which Quinn and Povolny combined known and novel hardware hacking techniques to manipulate on-board components and achieve root access to the device’s Linux operating system.

Then the duo conducted reverse engineering and live debugging to discover the remotely exploitable flaws, two of which they chained to exploit the access control board and remotely gain root-level privileges. This enabled them to create a program that could run alongside the legitimate firmware and unlock any door and subvert system monitoring.

The researchers captured the exploit in the video below:

The vulnerable panels, which are manufactured by HID Global, are used in government, healthcare, transportation, and education settings, among other sectors, and can be integrated with complex building automation deployments.

Bug breakdown

The flaws include a critical unauthenticated buffer overflow leading to remote code execution (RCE) that earned a maximum severity score of CVSS 10.0 (CVE-2022-31481).

The second most severe issue, a critical command injection bug notching a CVSS of 9.6 (CVE-2022-31479), could see an unauthenticated attacker “update the hostname with a specially crafted name, allowing shell command execution during the core collection process”, explained CISA.

Catch up on the latest hardware security news

Scoring CVSS 9.1, another critical, arbitrary file write issue (CVE-2022-31483) meant “an authenticated attacker can manipulate a filename to achieve the ability to upload the desired file anywhere on the filesystem”.

And a high severity authenticated command injection with a CVSS rating of 8.8 (CVE-2022-31486) due to improper neutralization of special elements was the only issue yet to be patched, according to Trellix.

Other flaws include three high severity (all CVSS 7.5) issues comprising a pair of denial-of-service (DoS) bugs (CVE-2022-31480 and CVE-2022-31482) and unauthenticated user modification issue (CVE-2022-31484), and an unauthenticated information spoofing bug scoring CVSS 5.3 (CVE-2022-31485).

Mitigations

The vulnerable models include LNL-X2210, LNL-X2220, LNL-X3300, LNL-X4420, LNL-4420, S2-LP-1501, S2-LP-4502, S2-LP-2500, and S2-LP-1502.

“HID Global has confirmed that all OEM partners using Mercury boards are vulnerable to the issues on specific hardware controller platforms,” warned the researchers.

“This research is actionable for vendors and third parties that collaborate with companies like Carrier to install physical access systems. Customers using HID Global Mercury boards should contact their Mercury OEM partner for access to security patches prior to weaponization by malicious threat actors.”

A security advisory (PDF) published on June 2 by Carrier, which owns LenelS2, provides advice on updating firmware and, in the meantime, mitigating the risk by disabling web access.

The researchers said they “did not expect to find common, legacy software vulnerabilities in a relatively recent technology”, especially one approved for US federal government use. “It is crucial to independently evaluate the certifications of any product prior to adding it into an IT or OT environment,” they advised.

YOU MIGHT ALSO LIKE Separate Fujitsu cloud storage vulnerabilities could enable attackers to destroy virtual backups