8 zero-day vulnerabilities discovered in popular industrial control system from Carrier

Eight zero-day vulnerabilities affecting a popular industrial control provided by Carrier have been identified and patched, according to security researchers from Trellix who discovered the issues.

The vulnerabilities affect the LenelS2 Mercury access control panel, which is used to grant physical access to facilities and integrate with more complex building automation deployments. 

Carrier’s LenelS2 Mercury access control panels are widely used across hundreds of companies in the healthcare, education, and transportation industries as well as federal government agencies and organizations. 

Trellix said they combined both known and novel techniques that allowed them to hack the system, achieve root access to the device’s operating system and pull firmware for emulation and vulnerability discovery. 

Carrier associate director of product security architecture Joshua Jessurun disputed the idea that these are zero-day vulnerabilities but told The Record that his team worked with Trellix on remediating the issues and released an advisory with detailed guidelines on what users need to do to address the vulnerabilities. Some of the issues need to be mitigated while most are addressed in firmware updates.

The Cybersecurity and Infrastructure Security Agency (CISA) released its own advisory on the issues – which are tagged as CVE-2022-31479, CVE-2022-31480, CVE-2022-31481, CVE-2022-31482, CVE-2022-31483, CVE-2022-31484, CVE-2022-31485, CVE-2022-31486 – with most carrying CVSS scores above 7.5. 

A chart of the vulnerabilities from Trellix.

CISA explained that exploitation of the bugs would give “an attacker access to the device, allowing monitoring of all communications sent to and from the device, modification of onboard relays, changing of configuration files, device instability, and a denial-of-service condition.”

Trellix security researchers Steve Povolny and Sam Quinn said they “anticipated a strong potential for finding vulnerabilities, knowing that the access controller was running a Linux Operating System and root access to the board could be achieved by leveraging classic hardware hacking techniques.” 

“While we believed flaws could be found, we did not…