HID Mercury – Zero Day Bugs

Researchers have revealed numerous zero-day bugs in Carrier’s LenelS2 access control panels that could enable attackers to physically access nominally secure facilities.

The devices are manufactured by HID Mercury, popular across healthcare, education, transportation, and government sectors approved for US federal government use following supposedly rigorous vulnerability and interoperability testing.

The researchers took a phased approach, starting with hardware hacking techniques which allowed them to access on-board debugging ports, force the system into the desired state and ultimately achieve permanent firmware access.

With access to firmware and system binaries, they then proceeded through reverse engineering and live debugging to find six unauthenticated and two authenticated vulnerabilities that could be remotely exploited.

By chaining just two of the vulnerabilities together, we were able to exploit the access control board and gain root-level privileges on the device remotely. With this level of access, we created a program that would run alongside the legitimate software and control the doors. This allowed us to unlock any door and subvert any system monitoring.

The most serious vulnerability, the unauthenticated remote code execution bug, CVE-2022-31481, gained a maximum CVSS score of 10.0. High scores were also applied to unauthenticated command injection flaw CVE-2022-31479 with CVSS of 9.0 and authenticated arbitrary file write bug CVE-2022-31483 with CVSS of 9.1.

Trellix urged users to apply vendor-issued patches and to always independently evaluate the certifications handed to any third-party IT or OT product before deployment.