cnvd - cnvd-2022-77064

CNVD-2022-77064

Vulnerability from cnvd - Published: 2022-11-15

Title

Carrier LenelS2 HID Mercury access panels缓冲区溢出漏洞

Description

Carrier LenelS2 HID Mercury access panels是美国Carrier公司的一个控制器面板。 Carrier LenelS2 HID Mercury access panels存在缓冲区溢出漏洞，攻击者可利用该漏洞向设备发送专门制作的更新文件，从而使缓冲区溢出。

Severity

高

Patch Name

Carrier LenelS2 HID Mercury access panels缓冲区溢出漏洞的补丁

Patch Description

Carrier LenelS2 HID Mercury access panels是美国Carrier公司的一个控制器面板。 Carrier LenelS2 HID Mercury access panels存在缓冲区溢出漏洞，攻击者可利用该漏洞向设备发送专门制作的更新文件，从而使缓冲区溢出。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.corporate.carrier.com/Images/CARR-PSA-HID-Mercury-Vulnerabilities-006-0622_tcm558-170514.pdf

Reference

https://www.cisa.gov/uscert/ics/advisories/icsa-22-153-01

Impacted products

Name
['Carrier LenelS2 LNL-X3300', 'Carrier LenelS2 LNL-X4420', 'Carrier LenelS2 LNL-4420', 'Carrier LenelS2 S2-LP-1501', 'Carrier LenelS2 S2-LP-4502', 'Carrier LenelS2 S2-LP-2500', 'Carrier LenelS2 S2-LP-1502', 'Carrier LenelS2 LNL-X2210', 'Carrier LenelS2 LNL-X2220']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-31481"
    }
  },
  "description": "Carrier LenelS2 HID Mercury access panels\u662f\u7f8e\u56fdCarrier\u516c\u53f8\u7684\u4e00\u4e2a\u63a7\u5236\u5668\u9762\u677f\u3002\n\nCarrier LenelS2 HID Mercury access panels\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5411\u8bbe\u5907\u53d1\u9001\u4e13\u95e8\u5236\u4f5c\u7684\u66f4\u65b0\u6587\u4ef6\uff0c\u4ece\u800c\u4f7f\u7f13\u51b2\u533a\u6ea2\u51fa\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.corporate.carrier.com/Images/CARR-PSA-HID-Mercury-Vulnerabilities-006-0622_tcm558-170514.pdf",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-77064",
  "openTime": "2022-11-15",
  "patchDescription": "Carrier LenelS2 HID Mercury access panels\u662f\u7f8e\u56fdCarrier\u516c\u53f8\u7684\u4e00\u4e2a\u63a7\u5236\u5668\u9762\u677f\u3002\r\n\r\nCarrier LenelS2 HID Mercury access panels\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5411\u8bbe\u5907\u53d1\u9001\u4e13\u95e8\u5236\u4f5c\u7684\u66f4\u65b0\u6587\u4ef6\uff0c\u4ece\u800c\u4f7f\u7f13\u51b2\u533a\u6ea2\u51fa\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Carrier LenelS2 HID Mercury access panels\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Carrier LenelS2 LNL-X3300",
      "Carrier LenelS2 LNL-X4420",
      "Carrier LenelS2 LNL-4420",
      "Carrier LenelS2 S2-LP-1501",
      "Carrier LenelS2 S2-LP-4502",
      "Carrier LenelS2 S2-LP-2500",
      "Carrier LenelS2 S2-LP-1502",
      "Carrier LenelS2 LNL-X2210",
      "Carrier LenelS2 LNL-X2220"
    ]
  },
  "referenceLink": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-153-01",
  "serverity": "\u9ad8",
  "submitTime": "2022-06-05",
  "title": "Carrier LenelS2 HID Mercury access panels\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e"
}

CVE-2022-31481 (GCVE-0-2022-31481)

Vulnerability from cvelistv5 – Published: 2022-06-06 16:38 – Updated: 2024-09-16 16:12

Summary

An unauthenticated attacker can send a specially crafted update file to the device that can overflow a buffer. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.302 for the LP series and 1.296 for the EP series. The overflowed data can allow the attacker to manipulate the “normal” code execution to that of their choosing. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable.

Severity ?

10 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-120 - Buffer Overflow

Assigner

Carrier

References

URL

Tags

https://www.corporate.carrier.com/product-securit…

x_refsource_MISC

Impacted products

Vendor

Product

Version

LenelS2

LNL-X2210

Affected: ALL , < 1.302 (custom)

LenelS2	LNL-X2220	Affected: ALL , < 1.302 (custom)
LenelS2	LNL-X3300	Affected: ALL , < 1.302 (custom)
LenelS2	LNL-X4420	Affected: ALL , < 1.302 (custom)
LenelS2	LNL-4420	Affected: ALL , < 1.296 (custom)
LenelS2	S2-LP-1501	Affected: ALL , < 1.302 (custom)
LenelS2	S2-LP-1502	Affected: ALL , < 1.302 (custom)
LenelS2	S2-LP-2500	Affected: ALL , < 1.302 (custom)
LenelS2	S2-LP-4502	Affected: ALL , < 1.302 (custom)
HID Mercury	LP1501	Affected: ALL , < 1.302 (custom)
HID Mercury	LP1502	Affected: ALL , < 1.302 (custom)
HID Mercury	LP2500	Affected: ALL , < 1.302 (custom)
HID Mercury	LP4502	Affected: ALL , < 1.302 (custom)
HID Mercury	EP4502	Affected: ALL , < 1.296 (custom)

Credits

Sam Quinn @eAyeP and Steve Povolny @spovolny from Trellix Threat Labs

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:19:06.065Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "LNL-X2210",
          "vendor": "LenelS2",
          "versions": [
            {
              "lessThan": "1.302",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "LNL-X2220",
          "vendor": "LenelS2",
          "versions": [
            {
              "lessThan": "1.302",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "LNL-X3300",
          "vendor": "LenelS2",
          "versions": [
            {
              "lessThan": "1.302",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "LNL-X4420",
          "vendor": "LenelS2",
          "versions": [
            {
              "lessThan": "1.302",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "LNL-4420",
          "vendor": "LenelS2",
          "versions": [
            {
              "lessThan": "1.296",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "S2-LP-1501",
          "vendor": "LenelS2",
          "versions": [
            {
              "lessThan": "1.302",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "S2-LP-1502",
          "vendor": "LenelS2",
          "versions": [
            {
              "lessThan": "1.302",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "S2-LP-2500",
          "vendor": "LenelS2",
          "versions": [
            {
              "lessThan": "1.302",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "S2-LP-4502",
          "vendor": "LenelS2",
          "versions": [
            {
              "lessThan": "1.302",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "LP1501",
          "vendor": "HID Mercury",
          "versions": [
            {
              "lessThan": "1.302",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "LP1502",
          "vendor": "HID Mercury",
          "versions": [
            {
              "lessThan": "1.302",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "LP2500",
          "vendor": "HID Mercury",
          "versions": [
            {
              "lessThan": "1.302",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "LP4502",
          "vendor": "HID Mercury",
          "versions": [
            {
              "lessThan": "1.302",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "EP4502",
          "vendor": "HID Mercury",
          "versions": [
            {
              "lessThan": "1.296",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Sam Quinn @eAyeP and Steve Povolny @spovolny from Trellix Threat Labs"
        }
      ],
      "datePublic": "2022-06-02T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An unauthenticated attacker can send a specially crafted update file to the device that can overflow a buffer. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.302 for the LP series and 1.296 for the EP series. The overflowed data can allow the attacker to manipulate the \u201cnormal\u201d code execution to that of their choosing. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-120",
              "description": "CWE-120 Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-06-06T16:38:51",
        "orgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f",
        "shortName": "Carrier"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Update to the latest version of firmware"
        }
      ],
      "source": {
        "advisory": "CARR-PSA-006-0522",
        "discovery": "EXTERNAL"
      },
      "title": "Remote Code Execution via buffer overflow in firmware update process",
      "workarounds": [
        {
          "lang": "en",
          "value": "Disable the controller\u0027s Web Server.  \nWhen the controller is configured to disable web access, you cannot remotely login into the controller\u2019s web page.\n1. Login to controller web pages\n2. Go to \u201cUsers\u201d Tab\n3. Near bottom of the Users page, check option to \u201cDisable Web Server\u201d\n4. Then select \u201cSubmit\u201d at the bottom of the page\n5. Then select \u201cApply Settings\u201d tab\n6. And on that page, select button \u201cApply Settings, Reboot\u201d\nThe Controller will apply the new setting and reboot. Web login will be disabled until switch 1 is physically turned ON, on the controller."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "productsecurity@carrier.com",
          "DATE_PUBLIC": "2022-06-02T22:00:00.000Z",
          "ID": "CVE-2022-31481",
          "STATE": "PUBLIC",
          "TITLE": "Remote Code Execution via buffer overflow in firmware update process"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "LNL-X2210",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.302"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "LNL-X2220",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.302"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "LNL-X3300",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.302"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "LNL-X4420",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.302"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "LNL-4420",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.296"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "S2-LP-1501",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.302"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "S2-LP-1502",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.302"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "S2-LP-2500",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.302"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "S2-LP-4502",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.302"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "LenelS2"
              },
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "LP1501",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.302"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "LP1502",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.302"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "LP2500",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.302"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "LP4502",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.302"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "EP4502",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.296"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "HID Mercury"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Sam Quinn @eAyeP and Steve Povolny @spovolny from Trellix Threat Labs"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An unauthenticated attacker can send a specially crafted update file to the device that can overflow a buffer. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.302 for the LP series and 1.296 for the EP series. The overflowed data can allow the attacker to manipulate the \u201cnormal\u201d code execution to that of their choosing. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-120 Buffer Overflow"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.corporate.carrier.com/product-security/advisories-resources/",
              "refsource": "MISC",
              "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Update to the latest version of firmware"
          }
        ],
        "source": {
          "advisory": "CARR-PSA-006-0522",
          "discovery": "EXTERNAL"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Disable the controller\u0027s Web Server.  \nWhen the controller is configured to disable web access, you cannot remotely login into the controller\u2019s web page.\n1. Login to controller web pages\n2. Go to \u201cUsers\u201d Tab\n3. Near bottom of the Users page, check option to \u201cDisable Web Server\u201d\n4. Then select \u201cSubmit\u201d at the bottom of the page\n5. Then select \u201cApply Settings\u201d tab\n6. And on that page, select button \u201cApply Settings, Reboot\u201d\nThe Controller will apply the new setting and reboot. Web login will be disabled until switch 1 is physically turned ON, on the controller."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f",
    "assignerShortName": "Carrier",
    "cveId": "CVE-2022-31481",
    "datePublished": "2022-06-06T16:38:51.453086Z",
    "dateReserved": "2022-05-23T00:00:00",
    "dateUpdated": "2024-09-16T16:12:27.210Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2022-77064

CVE-2022-31481 (GCVE-0-2022-31481)

Tags

Sightings

Nomenclature