Several zero-day vulnerabilities discovered in popular industrial control system

At least four zero-day vulnerabilities affecting a popular industrial control provided by HID Mercury have been identified and patched, according to security researchers from Trellix who discovered the issues.

The vulnerabilities affect the HID Mercury access control panel, which is used to grant physical access to facilities and integrate with more complex building automation deployments. 

HID Mercury access control panels are widely used across hundreds of companies in the healthcare, education, and transportation industries as well as federal government agencies and organizations. 

Trellix said they combined both known and novel techniques that allowed them to hack the system, achieve root access to the device’s operating system and pull firmware for emulation and vulnerability discovery. 

Carrier, a large manufacturer that uses the HID Mercury access control panels, released an advisory with detailed guidelines on what users need to do to address the vulnerabilities. Some of the issues need to be mitigated while most are addressed in firmware updates.

The Cybersecurity and Infrastructure Security Agency (CISA) released its own advisory on the issues – which are tagged as CVE-2022-31479, CVE-2022-31480, CVE-2022-31481, CVE-2022-31482, CVE-2022-31483, CVE-2022-31484, CVE-2022-31485, CVE-2022-31486 – with most carrying CVSS scores above 7.5. 

CISA explained that exploitation of the bugs would give “an attacker access to the device, allowing monitoring of all communications sent to and from the device, modification of onboard relays, changing of configuration files, device instability, and a denial-of-service condition.”

Trellix security researchers Steve Povolny and Sam Quinn said they “anticipated a strong potential for finding vulnerabilities, knowing that the access controller was running a Linux Operating System and root access to the board could be achieved by leveraging classic hardware hacking techniques.” 

“While we believed flaws could be found, we did not expect to find common, legacy software vulnerabilities in a relatively recent technology. Furthermore, this product has been approved for U.S. Federal Government use following ‘rigorous security vulnerability and interoperability testing,’” the two explained, noting that they took their findings to CISA after discovery. 

“Using the manufacturer’s built-in ports we were able to manipulate on-board components and interact with the device. Through reverse engineering and live debugging, we discovered six unauthenticated and two authenticated vulnerabilities exploitable remotely over the network.”

They managed to bypass security measures by utilizing hardware hacking techniques to force the system into desired states. 

The two explained that by chaining just two of the vulnerabilities together, they were able to exploit the access control board and gain root level privileges on the device remotely.

“With this level of access, we created a program that would run alongside of the legitimate software and control the doors. This allowed us to unlock any door and subvert any system monitoring,” they said. 

“Most significantly, the vulnerabilities uncovered allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms and undermine logging and notification systems.”

They added that customers using HID Global Mercury boards should contact their Mercury OEM partner for access to security patches “prior to weaponization by malicious threat actors, which could lead to both digital or physical breaches of sensitive information and protected locations.”

The two noted that the tools were added to the Government Service Administration (GSA) Approved Product List (APL) and were approved for federal government use, giving the impression that the product was highly vetted.

“It is crucial to independently evaluate the certifications of any product prior to adding it into an IT or OT environment,” Povolny and Quinn said. 

UPDATE: Global home appliance giant Carrier disputed parts of this story and Trellix eventually admitted that it misstated several facts related to the issues with HID Mercury access control panels.

Despite initially linking the vulnerabilities to Carrier, they later changed their report, telling The Record that their research focused on HID Mercury access control panels, which are used by organizations across healthcare, education, transportation, and government for physical security.

"More than 20 OEM partners provide access control solutions with Mercury boards. Carrier LenelS2 is one of these vendors and worked closely with us to facilitate the disclosure to HID Mercury," a spokesperson from Trellix admitted.

They also revealed that they had overstated the number of zero-day vulnerabilities they discovered. They initially said they found 8, but after being pressed by Carrier, said the number was actually 4.

Trellix defended its actions by saying four of the vulnerabilities they found had been previously discovered by Carrier but had not been publicized or given CVEs.

Carrier said it disclosed the four issues behind a paywall on a platform that was only available to customers.