IM
IronMonkey Threat Research

CVE-2022-31483 CRITICAL

Published: 2022-06-06 | Last Modified: 2024-11-21 | Status: Modified

Description

An authenticated attacker can upload a file with a filename including “..” and “/” to achieve the ability to upload the desired file anywhere on the filesystem. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.271. This allows a malicious actor to overwrite sensitive system files and install a startup service to gain remote access to the underlaying Linux operating system with root privileges.

Additional Descriptions (1)

Un atacante autenticado puede cargar un archivo con un nombre de archivo que incluya ".." y "/" para lograr la capacidad de cargar el archivo deseado en cualquier lugar del sistema de archivos. Esta vulnerabilidad afecta a los productos basados en los controladores inteligentes HID Mercury LP1501, LP1502, LP2500, LP4502 y EP4502 que contienen versiones de firmware anteriores a 1.271. Esto permite a un actor malicioso sobrescribir archivos confidenciales del sistema e instalar un servicio de inicio para conseguir acceso remoto al sistema operativo Linux subyacente con privilegios de root

CVSS Metrics

Base Score: 8.8 (HIGH)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK
Attack ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactHIGH
Integrity ImpactHIGH
Availability ImpactHIGH

Source: [email protected]

Type: Primary

Exploitability Score: 2.8

Impact Score: 5.9

Base Score: 9.0 (HIGH)

AV:N/AC:L/Au:S/C:C/I:C/A:C

Access VectorNETWORK
Access ComplexityLOW
AuthenticationSINGLE
Confidentiality ImpactCOMPLETE
Integrity ImpactCOMPLETE
Availability ImpactCOMPLETE

Source: [email protected]

Type: Primary

Exploitability Score: 8.0

Impact Score: 10.0

Weaknesses

Source Type Description
[email protected] Secondary
en CWE-22
[email protected] Primary
en CWE-22

Affected Products

Vendor Product Version Update Type
hidglobal lp1501_firmware * <built-in method update of dict object at 0x7c3c40dd7e00> Operating System
hidglobal lp1502_firmware * <built-in method update of dict object at 0x7c3c2910f880> Operating System
hidglobal lp2500_firmware * <built-in method update of dict object at 0x7c3bf3a1ed40> Operating System
hidglobal lp4502_firmware * <built-in method update of dict object at 0x7c3c40dd5fc0> Operating System
hidglobal ep4502_firmware * <built-in method update of dict object at 0x7c3c40dd7cc0> Operating System
carrier lenels2_lnl-4420_firmware * <built-in method update of dict object at 0x7c3c40dd61c0> Operating System
carrier lenels2_lnl-x2210_firmware * <built-in method update of dict object at 0x7c3c40dd6300> Operating System
carrier lenels2_lnl-x2220_firmware * <built-in method update of dict object at 0x7c3c2910f3c0> Operating System
carrier lenels2_lnl-x3300_firmware * <built-in method update of dict object at 0x7c3c40dd7280> Operating System
carrier lenels2_lnl-x4420_firmware * <built-in method update of dict object at 0x7c3c40dd6bc0> Operating System
carrier lenels2_s2-lp-1501_firmware * <built-in method update of dict object at 0x7c3c40dd5cc0> Operating System
carrier lenels2_s2-lp-1502_firmware * <built-in method update of dict object at 0x7c3c2910e2c0> Operating System
carrier lenels2_s2-lp-2500_firmware * <built-in method update of dict object at 0x7c3bf3b2f540> Operating System
carrier lenels2_s2-lp-4502_firmware * <built-in method update of dict object at 0x7c3bf3b4da40> Operating System

Affected Configurations

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:hidglobal:lp1501_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:hidglobal:lp1501:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:hidglobal:lp1502_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:hidglobal:lp1502:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:hidglobal:lp2500_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:hidglobal:lp2500:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:hidglobal:lp4502_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:hidglobal:lp4502:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:hidglobal:ep4502_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:hidglobal:ep4502:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:carrier:lenels2_lnl-4420_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:carrier:lenels2_lnl-4420:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:carrier:lenels2_lnl-x2210_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:carrier:lenels2_lnl-x2210:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:carrier:lenels2_lnl-x2220_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:carrier:lenels2_lnl-x2220:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:carrier:lenels2_lnl-x3300_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:carrier:lenels2_lnl-x3300:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:carrier:lenels2_lnl-x4420_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:carrier:lenels2_lnl-x4420:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:carrier:lenels2_s2-lp-1501_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:carrier:lenels2_s2-lp-1501:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:carrier:lenels2_s2-lp-1502_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:carrier:lenels2_s2-lp-1502:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:carrier:lenels2_s2-lp-2500_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:carrier:lenels2_s2-lp-2500:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:carrier:lenels2_s2-lp-4502_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:carrier:lenels2_s2-lp-4502:-:*:*:*:*:*:*:*

References

Notification
Message here