IM
IronMonkey Threat Research

CVE-2022-31486 HIGH

Published: 2022-06-06 | Last Modified: 2024-11-21 | Status: Modified

Description

An authenticated attacker can send a specially crafted route to the “edit_route.cgi” binary and have it execute shell commands. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.303 for the LP series and 1.297 for the EP series. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable.

Additional Descriptions (1)

Un atacante autenticado puede enviar una ruta especialmente diseñada al binario "edit_route.cgi" y hacer que ejecute comandos de shell. Esta vulnerabilidad afecta a los productos basados en los controladores inteligentes HID Mercury LP1501, LP1502, LP2500, LP4502 y EP4502 que contienen versiones de firmware anteriores a 1.303 para la serie LP y 1.297 para la serie EP. Un atacante con este nivel de acceso en el dispositivo puede monitorear todas las comunicaciones enviadas hacia y desde este dispositivo, modificar los relés incorporados, cambiar los archivos de configuración o causar que el dispositivo se vuelva inestable

CVSS Metrics

Base Score: 8.8 (HIGH)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK
Attack ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactHIGH
Integrity ImpactHIGH
Availability ImpactHIGH

Source: [email protected]

Type: Primary

Exploitability Score: 2.8

Impact Score: 5.9

Base Score: 9.0 (HIGH)

AV:N/AC:L/Au:S/C:C/I:C/A:C

Access VectorNETWORK
Access ComplexityLOW
AuthenticationSINGLE
Confidentiality ImpactCOMPLETE
Integrity ImpactCOMPLETE
Availability ImpactCOMPLETE

Source: [email protected]

Type: Primary

Exploitability Score: 8.0

Impact Score: 10.0

Weaknesses

Source Type Description
[email protected] Secondary
en CWE-78
[email protected] Primary
en CWE-78

Affected Products

Vendor Product Version Update Type
hidglobal lp1501_firmware * <built-in method update of dict object at 0x7c3c32750800> Operating System
hidglobal lp1502_firmware * <built-in method update of dict object at 0x7c3c327462c0> Operating System
hidglobal lp2500_firmware * <built-in method update of dict object at 0x7c3c2a9b6300> Operating System
hidglobal lp4502_firmware * <built-in method update of dict object at 0x7c3c477cd7c0> Operating System
hidglobal ep4502_firmware * <built-in method update of dict object at 0x7c3c32753480> Operating System
carrier lenels2_lnl-4420_firmware * <built-in method update of dict object at 0x7c3c32750100> Operating System
carrier lenels2_lnl-x2210_firmware * <built-in method update of dict object at 0x7c3c2a9b5000> Operating System
carrier lenels2_lnl-x2220_firmware * <built-in method update of dict object at 0x7c3c2910de80> Operating System
carrier lenels2_lnl-x3300_firmware * <built-in method update of dict object at 0x7c3c2a9b6f00> Operating System
carrier lenels2_lnl-x4420_firmware * <built-in method update of dict object at 0x7c3c32750140> Operating System
carrier lenels2_s2-lp-1501_firmware * <built-in method update of dict object at 0x7c3c2910dc40> Operating System
carrier lenels2_s2-lp-1502_firmware * <built-in method update of dict object at 0x7c3c32745340> Operating System
carrier lenels2_s2-lp-2500_firmware * <built-in method update of dict object at 0x7c3c28b14100> Operating System
carrier lenels2_s2-lp-4502_firmware * <built-in method update of dict object at 0x7c3c2910cbc0> Operating System

Affected Configurations

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:hidglobal:lp1501_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:hidglobal:lp1501:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:hidglobal:lp1502_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:hidglobal:lp1502:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:hidglobal:lp2500_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:hidglobal:lp2500:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:hidglobal:lp4502_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:hidglobal:lp4502:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:hidglobal:ep4502_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:hidglobal:ep4502:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:carrier:lenels2_lnl-4420_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:carrier:lenels2_lnl-4420:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:carrier:lenels2_lnl-x2210_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:carrier:lenels2_lnl-x2210:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:carrier:lenels2_lnl-x2220_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:carrier:lenels2_lnl-x2220:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:carrier:lenels2_lnl-x3300_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:carrier:lenels2_lnl-x3300:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:carrier:lenels2_lnl-x4420_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:carrier:lenels2_lnl-x4420:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:carrier:lenels2_s2-lp-1501_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:carrier:lenels2_s2-lp-1501:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:carrier:lenels2_s2-lp-1502_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:carrier:lenels2_s2-lp-1502:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:carrier:lenels2_s2-lp-2500_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:carrier:lenels2_s2-lp-2500:-:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:carrier:lenels2_s2-lp-4502_firmware:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
No cpe:2.3:h:carrier:lenels2_s2-lp-4502:-:*:*:*:*:*:*:*

References

Notification
Message here