IM
IronMonkey Threat Research

CVE-2022-31481 CRITICAL

Published: 2022-06-06 | Last Modified: 2024-11-21 | Status: Modified

Description

An unauthenticated attacker can send a specially crafted update file to the device that can overflow a buffer. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.302 for the LP series and 1.296 for the EP series. The overflowed data can allow the attacker to manipulate the “normal” code execution to that of their choosing. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable.

Additional Descriptions (1)

Un atacante no autenticado puede enviar un archivo de actualización especialmente diseñado al dispositivo que puede desbordar un búfer. Esta vulnerabilidad afecta a los productos basados en los controladores inteligentes HID Mercury LP1501, LP1502, LP2500, LP4502 y EP4502 que contienen versiones de firmware anteriores a 1.302 para la serie LP y 1.296 para la serie EP. Los datos desbordados pueden permitir al atacante manipular la ejecución del código "normal" a su elección. Un atacante con este nivel de acceso en el dispositivo puede monitorear todas las comunicaciones enviadas hacia y desde este dispositivo, modificar los relés de la placa, cambiar los archivos de configuración o causar que el dispositivo se vuelva inestable

CVSS Metrics

Base Score: 10.0 (CRITICAL)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack VectorNETWORK
Attack ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
ScopeCHANGED
Confidentiality ImpactHIGH
Integrity ImpactHIGH
Availability ImpactHIGH

Source: [email protected]

Type: Primary

Exploitability Score: 3.9

Impact Score: 6.0

Base Score: 7.5 (HIGH)

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access VectorNETWORK
Access ComplexityLOW
AuthenticationNONE
Confidentiality ImpactPARTIAL
Integrity ImpactPARTIAL
Availability ImpactPARTIAL

Source: [email protected]

Type: Primary

Exploitability Score: 10.0

Impact Score: 6.4

Weaknesses

Source Type Description
[email protected] Secondary
en CWE-120
[email protected] Primary
en CWE-120

Affected Products

Vendor Product Version Update Type
hidglobal lp1501_firmware * <built-in method update of dict object at 0x7c3c3372fd40> Operating System
hidglobal lp1502_firmware * <built-in method update of dict object at 0x7c3c2ab0e3c0> Operating System
hidglobal lp2500_firmware * <built-in method update of dict object at 0x7c3c2ab0ce80> Operating System
hidglobal lp4502_firmware * <built-in method update of dict object at 0x7c3c297591c0> Operating System
hidglobal ep4502_firmware * <built-in method update of dict object at 0x7c3c3372e300> Operating System
carrier lenels2_lnl-4420_firmware * <built-in method update of dict object at 0x7c3c3372e780> Operating System
carrier lenels2_lnl-x2210_firmware * <built-in method update of dict object at 0x7c3c2ab0e500> Operating System
carrier lenels2_lnl-x2220_firmware * <built-in method update of dict object at 0x7c3c2ab0c980> Operating System
carrier lenels2_lnl-x3300_firmware * <built-in method update of dict object at 0x7c3c2be87200> Operating System
carrier lenels2_lnl-x4420_firmware * <built-in method update of dict object at 0x7c3c3372d0c0> Operating System
carrier lenels2_s2-lp-1501_firmware * <built-in method update of dict object at 0x7c3c29759b00> Operating System
carrier lenels2_s2-lp-1502_firmware * <built-in method update of dict object at 0x7c3c297592c0> Operating System
carrier lenels2_s2-lp-2500_firmware * <built-in method update of dict object at 0x7c3c2ab11580> Operating System
carrier lenels2_s2-lp-4502_firmware * <built-in method update of dict object at 0x7c3bf3b06500> Operating System

Affected Configurations

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:hidglobal:lp1501_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:hidglobal:lp1501:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:hidglobal:lp1502_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:hidglobal:lp1502:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:hidglobal:lp2500_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:hidglobal:lp2500:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:hidglobal:lp4502_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:hidglobal:lp4502:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:hidglobal:ep4502_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:hidglobal:ep4502:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:carrier:lenels2_lnl-4420_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:carrier:lenels2_lnl-4420:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:carrier:lenels2_lnl-x2210_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:carrier:lenels2_lnl-x2210:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:carrier:lenels2_lnl-x2220_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:carrier:lenels2_lnl-x2220:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:carrier:lenels2_lnl-x3300_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:carrier:lenels2_lnl-x3300:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:carrier:lenels2_lnl-x4420_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:carrier:lenels2_lnl-x4420:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:carrier:lenels2_s2-lp-1501_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:carrier:lenels2_s2-lp-1501:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:carrier:lenels2_s2-lp-1502_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:carrier:lenels2_s2-lp-1502:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:carrier:lenels2_s2-lp-2500_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:carrier:lenels2_s2-lp-2500:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:carrier:lenels2_s2-lp-4502_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:carrier:lenels2_s2-lp-4502:-:*:*:*:*:*:*:*

References

Notification
Message here