CVE-2022-31479

Remote Code Execution via command injection of the hostname

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An unauthenticated attacker can update the hostname with a specially crafted name that will allow for shell commands to be executed during the core collection process. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.302 for the LP series and 1.296 for the EP series. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable. The injected commands only get executed during start up or when unsafe calls regarding the hostname are used. This allows the attacker to gain remote access to the device and can make their persistence permanent by modifying the filesystem.

Un atacante no autenticado puede actualizar el nombre de host con un nombre especialmente diseñado que permitirá una ejecución de comandos de shell durante el proceso de recogida del núcleo. Esta vulnerabilidad afecta a los productos basados en los controladores inteligentes HID Mercury LP1501, LP1502, LP2500, LP4502 y EP4502 que contienen versiones de firmware anteriores a 1.302 para la serie LP y 1.296 para la serie EP. Un atacante con este nivel de acceso en el dispositivo puede monitorear todas las comunicaciones enviadas hacia y desde este dispositivo, modificar los relés de la placa, cambiar los archivos de configuración o causar que el dispositivo se vuelva inestable. Los comandos inyectados sólo son ejecutados durante el arranque o cuando son usadas llamadas no seguras en relación con el nombre del host. Esto permite al atacante conseguir acceso remoto al dispositivo y puede hacer que su persistencia sea permanente al modificar el sistema de archivos

*Credits: Sam Quinn @eAyeP and Steve Povolny @spovolny from Trellix Threat Labs

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-05-23 CVE Reserved
2022-06-06 CVE Published
2023-12-28 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-693: Protection Mechanism Failure

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://www.corporate.carrier.com/product-security/advisories-resources	2023-06-29

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Hidglobal Search vendor "Hidglobal"	Lp1501 Firmware Search vendor "Hidglobal" for product "Lp1501 Firmware"	< 1.302 Search vendor "Hidglobal" for product "Lp1501 Firmware" and version " < 1.302"	-	Affected	in	Hidglobal Search vendor "Hidglobal"	Lp1501 Search vendor "Hidglobal" for product "Lp1501"	-	-	Safe
Hidglobal Search vendor "Hidglobal"	Lp1502 Firmware Search vendor "Hidglobal" for product "Lp1502 Firmware"	< 1.302 Search vendor "Hidglobal" for product "Lp1502 Firmware" and version " < 1.302"	-	Affected	in	Hidglobal Search vendor "Hidglobal"	Lp1502 Search vendor "Hidglobal" for product "Lp1502"	-	-	Safe
Hidglobal Search vendor "Hidglobal"	Lp2500 Firmware Search vendor "Hidglobal" for product "Lp2500 Firmware"	< 1.302 Search vendor "Hidglobal" for product "Lp2500 Firmware" and version " < 1.302"	-	Affected	in	Hidglobal Search vendor "Hidglobal"	Lp2500 Search vendor "Hidglobal" for product "Lp2500"	-	-	Safe
Hidglobal Search vendor "Hidglobal"	Lp4502 Firmware Search vendor "Hidglobal" for product "Lp4502 Firmware"	< 1.302 Search vendor "Hidglobal" for product "Lp4502 Firmware" and version " < 1.302"	-	Affected	in	Hidglobal Search vendor "Hidglobal"	Lp4502 Search vendor "Hidglobal" for product "Lp4502"	-	-	Safe
Hidglobal Search vendor "Hidglobal"	Ep4502 Firmware Search vendor "Hidglobal" for product "Ep4502 Firmware"	< 1.296 Search vendor "Hidglobal" for product "Ep4502 Firmware" and version " < 1.296"	-	Affected	in	Hidglobal Search vendor "Hidglobal"	Ep4502 Search vendor "Hidglobal" for product "Ep4502"	-	-	Safe
Carrier Search vendor "Carrier"	Lenels2 Lnl-4420 Firmware Search vendor "Carrier" for product "Lenels2 Lnl-4420 Firmware"	< 1.296 Search vendor "Carrier" for product "Lenels2 Lnl-4420 Firmware" and version " < 1.296"	-	Affected	in	Carrier Search vendor "Carrier"	Lenels2 Lnl-4420 Search vendor "Carrier" for product "Lenels2 Lnl-4420"	-	-	Safe
Carrier Search vendor "Carrier"	Lenels2 Lnl-x2210 Firmware Search vendor "Carrier" for product "Lenels2 Lnl-x2210 Firmware"	< 1.302 Search vendor "Carrier" for product "Lenels2 Lnl-x2210 Firmware" and version " < 1.302"	-	Affected	in	Carrier Search vendor "Carrier"	Lenels2 Lnl-x2210 Search vendor "Carrier" for product "Lenels2 Lnl-x2210"	-	-	Safe
Carrier Search vendor "Carrier"	Lenels2 Lnl-x2220 Firmware Search vendor "Carrier" for product "Lenels2 Lnl-x2220 Firmware"	< 1.302 Search vendor "Carrier" for product "Lenels2 Lnl-x2220 Firmware" and version " < 1.302"	-	Affected	in	Carrier Search vendor "Carrier"	Lenels2 Lnl-x2220 Search vendor "Carrier" for product "Lenels2 Lnl-x2220"	-	-	Safe
Carrier Search vendor "Carrier"	Lenels2 Lnl-x3300 Firmware Search vendor "Carrier" for product "Lenels2 Lnl-x3300 Firmware"	< 1.302 Search vendor "Carrier" for product "Lenels2 Lnl-x3300 Firmware" and version " < 1.302"	-	Affected	in	Carrier Search vendor "Carrier"	Lenels2 Lnl-x3300 Search vendor "Carrier" for product "Lenels2 Lnl-x3300"	-	-	Safe
Carrier Search vendor "Carrier"	Lenels2 Lnl-x4420 Firmware Search vendor "Carrier" for product "Lenels2 Lnl-x4420 Firmware"	< 1.302 Search vendor "Carrier" for product "Lenels2 Lnl-x4420 Firmware" and version " < 1.302"	-	Affected	in	Carrier Search vendor "Carrier"	Lenels2 Lnl-x4420 Search vendor "Carrier" for product "Lenels2 Lnl-x4420"	-	-	Safe
Carrier Search vendor "Carrier"	Lenels2 S2-lp-1501 Firmware Search vendor "Carrier" for product "Lenels2 S2-lp-1501 Firmware"	< 1.302 Search vendor "Carrier" for product "Lenels2 S2-lp-1501 Firmware" and version " < 1.302"	-	Affected	in	Carrier Search vendor "Carrier"	Lenels2 S2-lp-1501 Search vendor "Carrier" for product "Lenels2 S2-lp-1501"	-	-	Safe
Carrier Search vendor "Carrier"	Lenels2 S2-lp-1502 Firmware Search vendor "Carrier" for product "Lenels2 S2-lp-1502 Firmware"	< 1.302 Search vendor "Carrier" for product "Lenels2 S2-lp-1502 Firmware" and version " < 1.302"	-	Affected	in	Carrier Search vendor "Carrier"	Lenels2 S2-lp-1502 Search vendor "Carrier" for product "Lenels2 S2-lp-1502"	-	-	Safe
Carrier Search vendor "Carrier"	Lenels2 S2-lp-2500 Firmware Search vendor "Carrier" for product "Lenels2 S2-lp-2500 Firmware"	< 1.302 Search vendor "Carrier" for product "Lenels2 S2-lp-2500 Firmware" and version " < 1.302"	-	Affected	in	Carrier Search vendor "Carrier"	Lenels2 S2-lp-2500 Search vendor "Carrier" for product "Lenels2 S2-lp-2500"	-	-	Safe
Carrier Search vendor "Carrier"	Lenels2 S2-lp-4502 Firmware Search vendor "Carrier" for product "Lenels2 S2-lp-4502 Firmware"	< 1.302 Search vendor "Carrier" for product "Lenels2 S2-lp-4502 Firmware" and version " < 1.302"	-	Affected	in	Carrier Search vendor "Carrier"	Lenels2 S2-lp-4502 Search vendor "Carrier" for product "Lenels2 S2-lp-4502"	-	-	Safe