Trellix Threat Labs Uncovers Critical Flaws in Widely Used Building Access Control System
Today at the Hardwear.io Security Trainings and Conference, Trellix Threat Labs is sharing new research into vulnerabilities in an industrial control system (ICS) used to grant physical access to privileged facilities and integrate with more complex building automation deployments.
The Trellix Threat Labs vulnerability research team has a keen interest in threats to ICS and operational technology (OT), the hardware and software that, according to Gartner, Inc, detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events. For our latest project, we decided to investigate a topically interesting product that aligns with Trellix’s mission to help organizations build cyber resilience through a stronger security posture.
Our research was performed on HID Mercury access control panels, used by organizations across healthcare, education, transportation, and government for physical security. More than 20 OEM partners provide access control solutions with Mercury boards. Carrier LenelS2 is one of these vendors and worked closely with us to facilitate the disclosure to HID Mercury. Through our research, we found four zero-day vulnerabilities and four previously patched vulnerabilities, never published as CVEs. The impact of these vulnerabilities is full system control, including the ability for an attacker to remotely manipulate door locks. A demo video can be viewed here.
Can we hack it? Yes, we can!
When the vulnerability research team starts a research project, we always assume that flaws in the hardware or software being investigated will be found. We chose this specific access control panel to research because of its ubiquitous use, the volume and criticality of industries they are used in, the security certifications the product has received and overall position in the market.
For this project, we anticipated a strong potential for finding vulnerabilities, knowing that the access controller was running a Linux Operating System and root access to the board could be achieved by leveraging classic hardware hacking techniques. While we believed flaws could be found, we did not expect to find common, legacy software vulnerabilities in a relatively recent technology.
Full system control
Analysis begins at the lowest level of hardware. By using the manufacturer’s built-in ports, we were able to manipulate on-board components and interact with the device.Combining both known and novel techniques, we were able to achieve root access to the device’s operating system and pull its firmware for emulation and vulnerability discovery.
To achieve system control, we used a phased approach:
- Physical Access: Utilizing hardware hacking techniques, we were able to use on board debugging ports, often used during the manufacturing process, to force the system into desired states, bypassing security measures. Through these steps, we gained root access and could access the system’s firmware and modify startup scripts to ensure continued access for research activity.
- Network Access: With the firmware and system binaries in hand, we began to home in on software that was accessible from the network. Through reverse engineering and live debugging, we discovered six unauthenticated and two authenticated vulnerabilities exploitable remotely over the network.
- Exploitation: By chaining just two of the vulnerabilities together, we were able to exploit the access control board and gain root level privileges on the device remotely. With this level of access, we created a program that would run alongside of the legitimate software and control the doors. This allowed us to unlock any door and subvert any system monitoring.
Uncovering critical vulnerabilities
Most significantly, the vulnerabilities uncovered allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms and undermine logging and notification systems. The highest CVE, an unauthenticated Remote Code Execution (RCE), received a base score of 10.0 CVSS, the maximum score for a vulnerability. CVSS scoring is not universally consistent and may be interpreted differently depending on the target and application.
|CVE||Detail Summary||Mercury Firmware Version||CVSS Score|
|CVE-2022-31479||Unauthenticated command injection||<=1.291||Base 9.0, Overall 8.1|
|CVE-2022-31480||Unauthenticated denial-of-service||<=1.291||Base 7.5, Overall 6.7|
|CVE-2022-31481||Unauthenticated remote code execution||<=1.291||Base 10.0, Overall 9.0|
|CVE-2022-31486||Authenticated command injection||<=1.291 (no patch)||Base 8.8, Overall 8.2|
|CVE-2022-31482||Unauthenticated denial-of-service||<=1.265||Base 7.5, Overall 6.7|
|CVE-2022-31483||Authenticated arbitrary file write||<=1.265||Base 9.1, Overall 8.2|
|CVE-2022-31484||Unauthenticated user modification||<=1.265||Base 7.5, Overall 6.7|
|CVE-2022-31485||Unauthenticated information spoofing||<=1.265||Base 5.3, Overall 4.8|
HID Global has confirmed that all OEM partners using Mercury boards are vulnerable to the issues on specific hardware controller platforms. This research is actionable for vendors and third parties that collaborate with companies like Carrier to install physical access systems. Customers using HID Global Mercury boards should contact their Mercury OEM partner for access to security patches prior to weaponization by malicious threat actors, which could lead to both digital or physical breaches of sensitive information and protected locations.
Risk to OT & ICS
According to a study done by IBM in 2021, the average cost of a physical security compromise is 3.54 million dollars and takes an average of 223 days to identify a breach. The stakes are high for organizations that rely on access control systems to ensure the security and safety of facilities. Per the Cybersecurity and Infrastructure Security Agency (CISA) in the U.S., “ICS security presents unique challenges…Most importantly, ICS manage physical operational processes, the increasing convergence of information technology (IT) and operational technology (OT) creates opportunities for exploitation that could result in catastrophic consequences, including loss of life, economic damage, and disruption of the National Critical Functions (NCFs) upon which society relies.”
While the stakes are already high, they are still growing. Supporting organizations to get ahead of threats to industrial systems is a national security imperative. Groups like CISA have launched priorities, goals, and best practices to ensure the attack surface of ICS is defended from urgent threats and long-term risks. Public and private partnership is critical for national security and our ability to defend against bad actors. To do our part to ensure vulnerabilities are managed and remediated, Trellix Threat Labs briefed our government agency partners and corresponding intelligence communities on these findings. On June 2nd, 2022, CISA published a bulletin referencing our findings – more details can be found here.
It is important for consumers to note that the vulnerabilities disclosed today may seem like they have little impact, but critical infrastructure attacks do impact our daily lives.
A note on certifications
One of the key factors that attracted us to this product was the certification and testing requirements it was marketed to have met. While these certifications were legitimate, it’s important for users and researchers to note that these labels do not necessarily connote rigorous testing or auditing and do not reflect the actual state of security of the device or software itself.
This device for example was certified for Federal government usage and added to the Government Service Administration (GSA) Approved Product List (APL) which may signal to a purchaser that the product is highly vetted. It is crucial to independently evaluate the certifications of any product prior to adding it into an IT or OT environment.
Carrier has released a new advisory on its product security page with specifics of the flaws and recommended mitigations and firmware updates. Applying vendor patches should be the first course of action, whenever possible.
We also want to give a shout out to Carrier for how they approached the disclosure and how effective they were to work with. It was a wonderful experience interacting with their security team during the process of getting these vulnerabilities patched and publicly disclosed. It’s worth pointing out that the vulnerabilities discovered were not in any software under Carrier’s control, but as one of the OEM partners of the boards, they felt responsible for helping facilitate the disclosure process with HID Mercury.
Trellix customers can use the following signatures on the IPS platform to detect exploitation attempts for CVE-2022-31486.
|85320442||Command Injection Attempt Using Port Listening Utility (CVE-2022-31486)|
|85320443||Command Injection Attempt Using Port Listening Utility (CVE-2022-31486)|
|85320444||Command Injection Attempt Using Port Listening Utility (CVE-2022-31486)|
|85320445||Command Injection Attempt Using Port Listening Utility (CVE-2022-31486)|
|85320446||Command Injection Attempt Using Port Listening Utility (CVE-2022-31486)|
|85320447||Command Injection Attempt Using Port Listening Utility (CVE-2022-31486)|
Sep 28, 2022
Trellix Empowers Next Generation of Cybersecurity Talent at Xpand Live
Sep 28, 2022
Trellix Accelerates Channel Success Through Unified Partner Program and Expanded Security Innovation Alliance
Sep 28, 2022
Trellix Expands XDR Platform to Transform Security Operations
Sep 26, 2022
60% of Cybersecurity Professionals Feel They Are Losing Ground Against Cybercriminals
Sep 21, 2022
Trellix Launches Advanced Research Center, Finds Estimated 350K Open-Source Projects at Risk to Supply Chain Vulnerability
By Britt Norwood · August 30, 2022
Our team understands the critical role organizations like AWS play in efforts to drive premium threat detection no matter a customer’s security architecture. We continuously look for partners with a similar desire to grow and innovate to relieve pain points for SecOps teams.
This blog is the third and final of a multi-part series focused on vulnerability discovery in a widely used access control system and describes our research journey from target acquisition all the way through exploitation, beginning with the vendor and product selection and a deep dive into the hardware hacking techniques.
Get the latest
We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.