cnvd - cnvd-2022-77062

CNVD-2022-77062

Vulnerability from cnvd - Published: 2022-11-15

Title

Carrier LenelS2 HID Mercury access panels路径遍历漏洞

Description

Carrier LenelS2 HID Mercury access panels是美国Carrier公司的一个控制器面板。 Carrier LenelS2 HID Mercury access panels存在路径遍历漏洞，攻击者可利用该漏洞发送特制的HTTP请求，将任意文件上传到系统的任意位置。

Severity

高

Patch Name

Carrier LenelS2 HID Mercury access panels路径遍历漏洞的补丁

Patch Description

Carrier LenelS2 HID Mercury access panels是美国Carrier公司的一个控制器面板。 Carrier LenelS2 HID Mercury access panels存在路径遍历漏洞，攻击者可利用该漏洞发送特制的HTTP请求，将任意文件上传到系统的任意位置。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.corporate.carrier.com/Images/CARR-PSA-HID-Mercury-Vulnerabilities-006-0622_tcm558-170514.pdf

Reference

https://www.cisa.gov/uscert/ics/advisories/icsa-22-153-01

Impacted products

Name
['Carrier LenelS2 LNL-X3300', 'Carrier LenelS2 LNL-X4420', 'Carrier LenelS2 LNL-4420', 'Carrier LenelS2 S2-LP-1501', 'Carrier LenelS2 S2-LP-4502', 'Carrier LenelS2 S2-LP-2500', 'Carrier LenelS2 S2-LP-1502', 'Carrier LenelS2 LNL-X2210', 'Carrier LenelS2 LNL-X2220']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-31483"
    }
  },
  "description": "Carrier LenelS2 HID Mercury access panels\u662f\u7f8e\u56fdCarrier\u516c\u53f8\u7684\u4e00\u4e2a\u63a7\u5236\u5668\u9762\u677f\u3002\n\nCarrier LenelS2 HID Mercury access panels\u5b58\u5728\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u53d1\u9001\u7279\u5236\u7684HTTP\u8bf7\u6c42\uff0c\u5c06\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u5230\u7cfb\u7edf\u7684\u4efb\u610f\u4f4d\u7f6e\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.corporate.carrier.com/Images/CARR-PSA-HID-Mercury-Vulnerabilities-006-0622_tcm558-170514.pdf",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-77062",
  "openTime": "2022-11-15",
  "patchDescription": "Carrier LenelS2 HID Mercury access panels\u662f\u7f8e\u56fdCarrier\u516c\u53f8\u7684\u4e00\u4e2a\u63a7\u5236\u5668\u9762\u677f\u3002\r\n\r\nCarrier LenelS2 HID Mercury access panels\u5b58\u5728\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u53d1\u9001\u7279\u5236\u7684HTTP\u8bf7\u6c42\uff0c\u5c06\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u5230\u7cfb\u7edf\u7684\u4efb\u610f\u4f4d\u7f6e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Carrier LenelS2 HID Mercury access panels\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Carrier LenelS2 LNL-X3300",
      "Carrier LenelS2 LNL-X4420",
      "Carrier LenelS2 LNL-4420",
      "Carrier LenelS2 S2-LP-1501",
      "Carrier LenelS2 S2-LP-4502",
      "Carrier LenelS2 S2-LP-2500",
      "Carrier LenelS2 S2-LP-1502",
      "Carrier LenelS2 LNL-X2210",
      "Carrier LenelS2 LNL-X2220"
    ]
  },
  "referenceLink": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-153-01",
  "serverity": "\u9ad8",
  "submitTime": "2022-06-05",
  "title": "Carrier LenelS2 HID Mercury access panels\u8def\u5f84\u904d\u5386\u6f0f\u6d1e"
}

CVE-2022-31483 (GCVE-0-2022-31483)

Vulnerability from cvelistv5 – Published: 2022-06-06 16:39 – Updated: 2024-09-16 18:55

Summary

An authenticated attacker can upload a file with a filename including “..” and “/” to achieve the ability to upload the desired file anywhere on the filesystem. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.271. This allows a malicious actor to overwrite sensitive system files and install a startup service to gain remote access to the underlaying Linux operating system with root privileges.

Severity ?

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

Carrier

References

URL

Tags

https://www.corporate.carrier.com/product-securit…

x_refsource_MISC

Impacted products

Vendor

Product

Version

LenelS2

LNL-X2210

Affected: ALL , < 1.271 (custom)

LenelS2	LNL-X2220	Affected: ALL , < 1.271 (custom)
LenelS2	LNL-X3300	Affected: ALL , < 1.271 (custom)
LenelS2	LNL-X4420	Affected: ALL , < 1.271 (custom)
LenelS2	LNL-4420	Affected: ALL , < 1.271 (custom)
LenelS2	S2-LP-1501	Affected: ALL , < 1.271 (custom)
LenelS2	S2-LP-1502	Affected: ALL , < 1.271 (custom)
LenelS2	S2-LP-2500	Affected: ALL , < 1.271 (custom)
LenelS2	S2-LP-4502	Affected: ALL , < 1.271 (custom)
HID Mercury	LP1501	Affected: ALL , < 1.271 (custom)
HID Mercury	LP1502	Affected: ALL , < 1.271 (custom)
HID Mercury	LP2500	Affected: ALL , < 1.271 (custom)
HID Mercury	LP4502	Affected: ALL , < 1.271 (custom)
HID Mercury	EP4502	Affected: ALL , < 1.271 (custom)

Credits

Sam Quinn @eAyeP and Steve Povolny @spovolny from Trellix Threat Labs

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:19:06.090Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "LNL-X2210",
          "vendor": "LenelS2",
          "versions": [
            {
              "lessThan": "1.271",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "LNL-X2220",
          "vendor": "LenelS2",
          "versions": [
            {
              "lessThan": "1.271",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "LNL-X3300",
          "vendor": "LenelS2",
          "versions": [
            {
              "lessThan": "1.271",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "LNL-X4420",
          "vendor": "LenelS2",
          "versions": [
            {
              "lessThan": "1.271",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "LNL-4420",
          "vendor": "LenelS2",
          "versions": [
            {
              "lessThan": "1.271",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "S2-LP-1501",
          "vendor": "LenelS2",
          "versions": [
            {
              "lessThan": "1.271",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "S2-LP-1502",
          "vendor": "LenelS2",
          "versions": [
            {
              "lessThan": "1.271",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "S2-LP-2500",
          "vendor": "LenelS2",
          "versions": [
            {
              "lessThan": "1.271",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "S2-LP-4502",
          "vendor": "LenelS2",
          "versions": [
            {
              "lessThan": "1.271",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "LP1501",
          "vendor": "HID Mercury",
          "versions": [
            {
              "lessThan": "1.271",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "LP1502",
          "vendor": "HID Mercury",
          "versions": [
            {
              "lessThan": "1.271",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "LP2500",
          "vendor": "HID Mercury",
          "versions": [
            {
              "lessThan": "1.271",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "LP4502",
          "vendor": "HID Mercury",
          "versions": [
            {
              "lessThan": "1.271",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "EP4502",
          "vendor": "HID Mercury",
          "versions": [
            {
              "lessThan": "1.271",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Sam Quinn @eAyeP and Steve Povolny @spovolny from Trellix Threat Labs"
        }
      ],
      "datePublic": "2022-06-02T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An authenticated attacker can upload a file with a filename including \u201c..\u201d and \u201c/\u201d to achieve the ability to upload the desired file anywhere on the filesystem. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.271. This allows a malicious actor to overwrite sensitive system files and install a startup service to gain remote access to the underlaying Linux operating system with root privileges."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-06-06T16:39:56",
        "orgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f",
        "shortName": "Carrier"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Update to the latest version of firmware"
        }
      ],
      "source": {
        "advisory": "CARR-PSA-006-0522",
        "discovery": "EXTERNAL"
      },
      "title": "Arbitrary file write via authenticated OSDP file upload",
      "workarounds": [
        {
          "lang": "en",
          "value": "Disable the controller\u0027s Web Server.  \nWhen the controller is configured to disable web access, you cannot remotely login into the controller\u2019s web page.\n1. Login to controller web pages\n2. Go to \u201cUsers\u201d Tab\n3. Near bottom of the Users page, check option to \u201cDisable Web Server\u201d\n4. Then select \u201cSubmit\u201d at the bottom of the page\n5. Then select \u201cApply Settings\u201d tab\n6. And on that page, select button \u201cApply Settings, Reboot\u201d\nThe Controller will apply the new setting and reboot. Web login will be disabled until switch 1 is physically turned ON, on the controller."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "productsecurity@carrier.com",
          "DATE_PUBLIC": "2022-06-02T22:00:00.000Z",
          "ID": "CVE-2022-31483",
          "STATE": "PUBLIC",
          "TITLE": "Arbitrary file write via authenticated OSDP file upload"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "LNL-X2210",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.271"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "LNL-X2220",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.271"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "LNL-X3300",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.271"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "LNL-X4420",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.271"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "LNL-4420",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.271"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "S2-LP-1501",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.271"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "S2-LP-1502",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.271"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "S2-LP-2500",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.271"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "S2-LP-4502",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.271"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "LenelS2"
              },
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "LP1501",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.271"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "LP1502",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.271"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "LP2500",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.271"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "LP4502",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.271"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "EP4502",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.271"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "HID Mercury"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Sam Quinn @eAyeP and Steve Povolny @spovolny from Trellix Threat Labs"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An authenticated attacker can upload a file with a filename including \u201c..\u201d and \u201c/\u201d to achieve the ability to upload the desired file anywhere on the filesystem. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.271. This allows a malicious actor to overwrite sensitive system files and install a startup service to gain remote access to the underlaying Linux operating system with root privileges."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.corporate.carrier.com/product-security/advisories-resources/",
              "refsource": "MISC",
              "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Update to the latest version of firmware"
          }
        ],
        "source": {
          "advisory": "CARR-PSA-006-0522",
          "discovery": "EXTERNAL"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Disable the controller\u0027s Web Server.  \nWhen the controller is configured to disable web access, you cannot remotely login into the controller\u2019s web page.\n1. Login to controller web pages\n2. Go to \u201cUsers\u201d Tab\n3. Near bottom of the Users page, check option to \u201cDisable Web Server\u201d\n4. Then select \u201cSubmit\u201d at the bottom of the page\n5. Then select \u201cApply Settings\u201d tab\n6. And on that page, select button \u201cApply Settings, Reboot\u201d\nThe Controller will apply the new setting and reboot. Web login will be disabled until switch 1 is physically turned ON, on the controller."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f",
    "assignerShortName": "Carrier",
    "cveId": "CVE-2022-31483",
    "datePublished": "2022-06-06T16:39:56.305369Z",
    "dateReserved": "2022-05-23T00:00:00",
    "dateUpdated": "2024-09-16T18:55:31.907Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2022-77062

CVE-2022-31483 (GCVE-0-2022-31483)

Tags

Sightings

Nomenclature