CVE-2022-31481
Remote Code Execution via buffer overflow in firmware update process
Severity Score
10.0
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
An unauthenticated attacker can send a specially crafted update file to the device that can overflow a buffer. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.302 for the LP series and 1.296 for the EP series. The overflowed data can allow the attacker to manipulate the “normal” code execution to that of their choosing. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable.
Un atacante no autenticado puede enviar un archivo de actualización especialmente diseñado al dispositivo que puede desbordar un búfer. Esta vulnerabilidad afecta a los productos basados en los controladores inteligentes HID Mercury LP1501, LP1502, LP2500, LP4502 y EP4502 que contienen versiones de firmware anteriores a 1.302 para la serie LP y 1.296 para la serie EP. Los datos desbordados pueden permitir al atacante manipular la ejecución del código "normal" a su elección. Un atacante con este nivel de acceso en el dispositivo puede monitorear todas las comunicaciones enviadas hacia y desde este dispositivo, modificar los relés de la placa, cambiar los archivos de configuración o causar que el dispositivo se vuelva inestable
*Credits:
Sam Quinn @eAyeP and Steve Povolny @spovolny from Trellix Threat Labs
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-05-23 CVE Reserved
- 2022-06-06 CVE Published
- 2023-12-28 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.corporate.carrier.com/product-security/advisories-resources | 2022-06-17 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Hidglobal Search vendor "Hidglobal" | Lp1501 Firmware Search vendor "Hidglobal" for product "Lp1501 Firmware" | < 1.302 Search vendor "Hidglobal" for product "Lp1501 Firmware" and version " < 1.302" | - |
Affected
| in | Hidglobal Search vendor "Hidglobal" | Lp1501 Search vendor "Hidglobal" for product "Lp1501" | - | - |
Safe
|
| Hidglobal Search vendor "Hidglobal" | Lp1502 Firmware Search vendor "Hidglobal" for product "Lp1502 Firmware" | < 1.302 Search vendor "Hidglobal" for product "Lp1502 Firmware" and version " < 1.302" | - |
Affected
| in | Hidglobal Search vendor "Hidglobal" | Lp1502 Search vendor "Hidglobal" for product "Lp1502" | - | - |
Safe
|
| Hidglobal Search vendor "Hidglobal" | Lp2500 Firmware Search vendor "Hidglobal" for product "Lp2500 Firmware" | < 1.302 Search vendor "Hidglobal" for product "Lp2500 Firmware" and version " < 1.302" | - |
Affected
| in | Hidglobal Search vendor "Hidglobal" | Lp2500 Search vendor "Hidglobal" for product "Lp2500" | - | - |
Safe
|
| Hidglobal Search vendor "Hidglobal" | Lp4502 Firmware Search vendor "Hidglobal" for product "Lp4502 Firmware" | < 1.302 Search vendor "Hidglobal" for product "Lp4502 Firmware" and version " < 1.302" | - |
Affected
| in | Hidglobal Search vendor "Hidglobal" | Lp4502 Search vendor "Hidglobal" for product "Lp4502" | - | - |
Safe
|
| Hidglobal Search vendor "Hidglobal" | Ep4502 Firmware Search vendor "Hidglobal" for product "Ep4502 Firmware" | < 1.296 Search vendor "Hidglobal" for product "Ep4502 Firmware" and version " < 1.296" | - |
Affected
| in | Hidglobal Search vendor "Hidglobal" | Ep4502 Search vendor "Hidglobal" for product "Ep4502" | - | - |
Safe
|
| Carrier Search vendor "Carrier" | Lenels2 Lnl-4420 Firmware Search vendor "Carrier" for product "Lenels2 Lnl-4420 Firmware" | < 1.296 Search vendor "Carrier" for product "Lenels2 Lnl-4420 Firmware" and version " < 1.296" | - |
Affected
| in | Carrier Search vendor "Carrier" | Lenels2 Lnl-4420 Search vendor "Carrier" for product "Lenels2 Lnl-4420" | - | - |
Safe
|
| Carrier Search vendor "Carrier" | Lenels2 Lnl-x2210 Firmware Search vendor "Carrier" for product "Lenels2 Lnl-x2210 Firmware" | < 1.302 Search vendor "Carrier" for product "Lenels2 Lnl-x2210 Firmware" and version " < 1.302" | - |
Affected
| in | Carrier Search vendor "Carrier" | Lenels2 Lnl-x2210 Search vendor "Carrier" for product "Lenels2 Lnl-x2210" | - | - |
Safe
|
| Carrier Search vendor "Carrier" | Lenels2 Lnl-x2220 Firmware Search vendor "Carrier" for product "Lenels2 Lnl-x2220 Firmware" | < 1.302 Search vendor "Carrier" for product "Lenels2 Lnl-x2220 Firmware" and version " < 1.302" | - |
Affected
| in | Carrier Search vendor "Carrier" | Lenels2 Lnl-x2220 Search vendor "Carrier" for product "Lenels2 Lnl-x2220" | - | - |
Safe
|
| Carrier Search vendor "Carrier" | Lenels2 Lnl-x3300 Firmware Search vendor "Carrier" for product "Lenels2 Lnl-x3300 Firmware" | < 1.302 Search vendor "Carrier" for product "Lenels2 Lnl-x3300 Firmware" and version " < 1.302" | - |
Affected
| in | Carrier Search vendor "Carrier" | Lenels2 Lnl-x3300 Search vendor "Carrier" for product "Lenels2 Lnl-x3300" | - | - |
Safe
|
| Carrier Search vendor "Carrier" | Lenels2 Lnl-x4420 Firmware Search vendor "Carrier" for product "Lenels2 Lnl-x4420 Firmware" | < 1.302 Search vendor "Carrier" for product "Lenels2 Lnl-x4420 Firmware" and version " < 1.302" | - |
Affected
| in | Carrier Search vendor "Carrier" | Lenels2 Lnl-x4420 Search vendor "Carrier" for product "Lenels2 Lnl-x4420" | - | - |
Safe
|
| Carrier Search vendor "Carrier" | Lenels2 S2-lp-1501 Firmware Search vendor "Carrier" for product "Lenels2 S2-lp-1501 Firmware" | < 1.302 Search vendor "Carrier" for product "Lenels2 S2-lp-1501 Firmware" and version " < 1.302" | - |
Affected
| in | Carrier Search vendor "Carrier" | Lenels2 S2-lp-1501 Search vendor "Carrier" for product "Lenels2 S2-lp-1501" | - | - |
Safe
|
| Carrier Search vendor "Carrier" | Lenels2 S2-lp-1502 Firmware Search vendor "Carrier" for product "Lenels2 S2-lp-1502 Firmware" | < 1.302 Search vendor "Carrier" for product "Lenels2 S2-lp-1502 Firmware" and version " < 1.302" | - |
Affected
| in | Carrier Search vendor "Carrier" | Lenels2 S2-lp-1502 Search vendor "Carrier" for product "Lenels2 S2-lp-1502" | - | - |
Safe
|
| Carrier Search vendor "Carrier" | Lenels2 S2-lp-2500 Firmware Search vendor "Carrier" for product "Lenels2 S2-lp-2500 Firmware" | < 1.302 Search vendor "Carrier" for product "Lenels2 S2-lp-2500 Firmware" and version " < 1.302" | - |
Affected
| in | Carrier Search vendor "Carrier" | Lenels2 S2-lp-2500 Search vendor "Carrier" for product "Lenels2 S2-lp-2500" | - | - |
Safe
|
| Carrier Search vendor "Carrier" | Lenels2 S2-lp-4502 Firmware Search vendor "Carrier" for product "Lenels2 S2-lp-4502 Firmware" | < 1.302 Search vendor "Carrier" for product "Lenels2 S2-lp-4502 Firmware" and version " < 1.302" | - |
Affected
| in | Carrier Search vendor "Carrier" | Lenels2 S2-lp-4502 Search vendor "Carrier" for product "Lenels2 S2-lp-4502" | - | - |
Safe
|