Several flaws reported in Carrier’s industrial access control system

The Hacker News reports that the popular Carrier LenelS2 HID Mercury access control system has been discovered by Trellix researchers to be impacted by up to four critical zero-day flaws, which could be exploited to obtain complete system control. "The vulnerabilities uncovered allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms and undermine logging and notification systems," said researchers Sam Quinn and Steve Povolny. Attackers could abuse CVE-2022-31481 to facilitate unauthenticated remote execution, while the vulnerabilities, tracked as CVE-2022-31749 and CVE-2022-31486, could be exploited to allow command injection. Flaws, tracked as CVE-2022-31480 and CVE-2022-31482, could be used to prompt a denial-of-service condition, while CVE-2022-31484, CVE-2022-31485, and CVE-2022-31483, could be exploited to achieve user alteration, information spoofing, and arbitrary file write, respectively. The Cybersecurity and Infrastructure Security Agency has also issued an advisory urging LenelS2 HID Mercury systems to upgrade to the latest firmware version. "Successful exploitation of these vulnerabilities could allow an attacker access to the device, allowing monitoring of all communications sent to and from the device, modification of onboard relays, changing of configuration files, device instability, and a denial-of-service condition," said CISA. Update: The HID Mercury access control panel referenced in the original article by the Hacker News is designed and manufactured by third-party supplier HID Mercury and not by LenelS2, as previously reported.