10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
8.5 High
AI Score
Confidence
Low
0.003 Low
EPSS
Percentile
66.1%
Successful exploitation of these vulnerabilities could allow an attacker access to the device, allowing monitoring of all communications sent to and from the device, modification of onboard relays, changing of configuration files, device instability, and a denial-of-service condition.
Carrier reports these vulnerabilities affect the following HID Mercury access panels sold by LenelS2:
An unauthenticated attacker can update the hostname with a specially crafted name, allowing shell command execution during the core collection process.
CVE-2022-31479 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
An unauthenticated attacker could arbitrarily upload firmware files to the target device, ultimately causing a denial-of-service condition.
CVE-2022-31480 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
An unauthenticated attacker can send a specially crafted update file to the device that can overflow a buffer.
CVE-2022-31481 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
An unauthenticated attacker can send a specially crafted unauthenticated HTTP request to the device that can overflow a buffer.
CVE-2022-31482 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
An authenticated attacker can manipulate a filename to achieve the ability to upload the desired file anywhere on the filesystem.
CVE-2022-31483 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
An unauthenticated attacker can send a specially crafted network packet to delete a user from the web interface.
CVE-2022-31484 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
An unauthenticated attacker can send a specially crafted packet to update the “notes” section on the home page of the web interface.
CVE-2022-31485 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
An authenticated attacker can send a specially crafted route to a specific binary causing it to execute shell commands.
CVE-2022-31486 has been assigned to this vulnerability. A CVSS v3 base score 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Sam Quinn @eAyeP and Steve Povolny @spovolny from Trellix Threat Labs reported these vulnerabilities to Carrier.
Carrier recommends updating these access panels to the most current released firmware via the LenelS2 Partner Center. Please contact a Carrier support channel partner for instructions.
The controller can also be configured to disable web access, which prevents remote login into the controller’s webpage. To log in, see the specific instructions in CARR-PSA-006-0622
Carrier has published CARR-PSA-006-0622 to notify users about these vulnerabilities, providing additional mitigation instructions.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov/ics in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31479
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31480
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31481
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31482
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31483
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31484
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31485
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31486
cisa.gov/ics
cisa.gov/ics
cwe.mitre.org/data/definitions/120.html
cwe.mitre.org/data/definitions/120.html
cwe.mitre.org/data/definitions/22.html
cwe.mitre.org/data/definitions/425.html
cwe.mitre.org/data/definitions/425.html
cwe.mitre.org/data/definitions/425.html
cwe.mitre.org/data/definitions/693.html
cwe.mitre.org/data/definitions/78.html
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Carrier%20LenelS2%20HID%20Mercury%20access%20panels+https://www.cisa.gov/news-events/ics-advisories/icsa-22-153-01
www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01
www.cisa.gov/uscert/ics/recommended-practices
www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B
www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
www.corporate.carrier.com/contact-us/
www.corporate.carrier.com/product-security/advisories-resources/
www.corporate.carrier.com/product-security/advisories-resources/
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-22-153-01&title=Carrier%20LenelS2%20HID%20Mercury%20access%20panels
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-22-153-01
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-22-153-01
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Carrier%20LenelS2%20HID%20Mercury%20access%20panels&body=www.cisa.gov/news-events/ics-advisories/icsa-22-153-01
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
8.5 High
AI Score
Confidence
Low
0.003 Low
EPSS
Percentile
66.1%