Trellix Threat Labs Uncovers Critical Flaws in Widely Used Building Access Control System

By Trellix · June 9, 2022
This story was also written by Steve Povolny and Sam Quinn.

Today at the Hardwear.io Security Trainings and Conference, Trellix Threat Labs is sharing new research into vulnerabilities in an industrial control system (ICS) used to grant physical access to privileged facilities and integrate with more complex building automation deployments.

The Trellix Threat Labs vulnerability research team has a keen interest in threats to ICS and operational technology (OT), the hardware and software that, according to Gartner, Inc, detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events. For our latest project, we decided to investigate a topically interesting product that aligns with Trellix’s mission to help organizations build cyber resilience through a stronger security posture.

Our research was performed on HID Mercury access control panels, used by organizations across healthcare, education, transportation, and government for physical security. More than 20 OEM partners provide access control solutions with Mercury boards. Carrier LenelS2 is one of these vendors and worked closely with us to facilitate the disclosure to HID Mercury. Through our research, we found four zero-day vulnerabilities and four previously patched vulnerabilities, never published as CVEs. The impact of these vulnerabilities is full system control, including the ability for an attacker to remotely manipulate door locks. A demo video can be viewed here.

Can we hack it? Yes, we can!

When the vulnerability research team starts a research project, we always assume that flaws in the hardware or software being investigated will be found. We chose this specific access control panel to research because of its ubiquitous use, the volume and criticality of industries they are used in, the security certifications the product has received and overall position in the market.

For this project, we anticipated a strong potential for finding vulnerabilities, knowing that the access controller was running a Linux Operating System and root access to the board could be achieved by leveraging classic hardware hacking techniques. While we believed flaws could be found, we did not expect to find common, legacy software vulnerabilities in a relatively recent technology.

Full system control

Analysis begins at the lowest level of hardware. By using the manufacturer’s built-in ports, we were able to manipulate on-board components and interact with the device.Combining both known and novel techniques, we were able to achieve root access to the device’s operating system and pull its firmware for emulation and vulnerability discovery.

To achieve system control, we used a phased approach:

• Physical Access: Utilizing hardware hacking techniques, we were able to use on board debugging ports, often used during the manufacturing process, to force the system into desired states, bypassing security measures. Through these steps, we gained root access and could access the system’s firmware and modify startup scripts to ensure continued access for research activity.
• Network Access: With the firmware and system binaries in hand, we began to home in on software that was accessible from the network. Through reverse engineering and live debugging, we discovered six unauthenticated and two authenticated vulnerabilities exploitable remotely over the network.
• Exploitation: By chaining just two of the vulnerabilities together, we were able to exploit the access control board and gain root level privileges on the device remotely. With this level of access, we created a program that would run alongside of the legitimate software and control the doors. This allowed us to unlock any door and subvert any system monitoring.

Uncovering critical vulnerabilities

Most significantly, the vulnerabilities uncovered allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms and undermine logging and notification systems. The highest CVE, an unauthenticated Remote Code Execution (RCE), received a base score of 10.0 CVSS, the maximum score for a vulnerability. CVSS scoring is not universally consistent and may be interpreted differently depending on the target and application.

CVE	Detail Summary	Mercury Firmware Version	CVSS Score
CVE-2022-31479	Unauthenticated command injection	<=1.291	Base 9.0, Overall 8.1
CVE-2022-31480	Unauthenticated denial-of-service	<=1.291	Base 7.5, Overall 6.7
CVE-2022-31481	Unauthenticated remote code execution	<=1.291	Base 10.0, Overall 9.0
CVE-2022-31486	Authenticated command injection	<=1.291 (no patch)	Base 8.8, Overall 8.2
CVE-2022-31482	Unauthenticated denial-of-service	<=1.265	Base 7.5, Overall 6.7
CVE-2022-31483	Authenticated arbitrary file write	<=1.265	Base 9.1, Overall 8.2
CVE-2022-31484	Unauthenticated user modification	<=1.265	Base 7.5, Overall 6.7
CVE-2022-31485	Unauthenticated information spoofing	<=1.265	Base 5.3, Overall 4.8

HID Global has confirmed that all OEM partners using Mercury boards are vulnerable to the issues on specific hardware controller platforms. This research is actionable for vendors and third parties that collaborate with companies like Carrier to install physical access systems. Customers using HID Global Mercury boards should contact their Mercury OEM partner for access to security patches prior to weaponization by malicious threat actors, which could lead to both digital or physical breaches of sensitive information and protected locations.

Risk to OT & ICS

According to a study done by IBM in 2021, the average cost of a physical security compromise is 3.54 million dollars and takes an average of 223 days to identify a breach. The stakes are high for organizations that rely on access control systems to ensure the security and safety of facilities. Per the Cybersecurity and Infrastructure Security Agency (CISA) in the U.S., “ICS security presents unique challenges…Most importantly, ICS manage physical operational processes, the increasing convergence of information technology (IT) and operational technology (OT) creates opportunities for exploitation that could result in catastrophic consequences, including loss of life, economic damage, and disruption of the National Critical Functions (NCFs) upon which society relies.”

While the stakes are already high, they are still growing. Supporting organizations to get ahead of threats to industrial systems is a national security imperative. Groups like CISA have launched priorities, goals, and best practices to ensure the attack surface of ICS is defended from urgent threats and long-term risks. Public and private partnership is critical for national security and our ability to defend against bad actors. To do our part to ensure vulnerabilities are managed and remediated, Trellix Threat Labs briefed our government agency partners and corresponding intelligence communities on these findings. On June 2nd, 2022, CISA published a bulletin referencing our findings – more details can be found here.

It is important for consumers to note that the vulnerabilities disclosed today may seem like they have little impact, but critical infrastructure attacks do impact our daily lives.

A note on certifications

One of the key factors that attracted us to this product was the certification and testing requirements it was marketed to have met. While these certifications were legitimate, it’s important for users and researchers to note that these labels do not necessarily connote rigorous testing or auditing and do not reflect the actual state of security of the device or software itself.

This device for example was certified for Federal government usage and added to the Government Service Administration (GSA) Approved Product List (APL) which may signal to a purchaser that the product is highly vetted. It is crucial to independently evaluate the certifications of any product prior to adding it into an IT or OT environment.

Solutions

Carrier has released a new advisory on its product security page with specifics of the flaws and recommended mitigations and firmware updates. Applying vendor patches should be the first course of action, whenever possible.

We also want to give a shout out to Carrier for how they approached the disclosure and how effective they were to work with. It was a wonderful experience interacting with their security team during the process of getting these vulnerabilities patched and publicly disclosed. It’s worth pointing out that the vulnerabilities discovered were not in any software under Carrier’s control, but as one of the OEM partners of the boards, they felt responsible for helping facilitate the disclosure process with HID Mercury.

Trellix customers can use the following signatures on the IPS platform to detect exploitation attempts for CVE-2022-31486.

SID	Signature Name
85320442	Command Injection Attempt Using Port Listening Utility (CVE-2022-31486)
85320443	Command Injection Attempt Using Port Listening Utility (CVE-2022-31486)
85320444	Command Injection Attempt Using Port Listening Utility (CVE-2022-31486)
85320445	Command Injection Attempt Using Port Listening Utility (CVE-2022-31486)
85320446	Command Injection Attempt Using Port Listening Utility (CVE-2022-31486)
85320447	Command Injection Attempt Using Port Listening Utility (CVE-2022-31486)