Critical Mercury Security Vulnerabilities

Published Jun 13, 2022 17:22 PM

HID's Mercury Security has 8 vulnerabilities, including the highest possible 10.0 risk, and researchers recently demonstrated how to hack open a door while using one of the industry's biggest brands.

IPVM Image

In this report, IPVM examines the vulnerabilities, exposed by researchers from a US cybersecurity firm, and includes a response from HID.

Executive *******

*** ** *** **** ****** **** controller ******, ******* ********, ********* ** IPVM ******** *************** ********* * ********* by *********** **** ************* **** *******.

***** ** *** ***** ***** *** scored *.* ** ****** ***, **** used ** ***********, **** *** **** doors ******* ******* **** ** *** event.

******* ** ********* ******** ** ********, who **** **** ******* ** ** their ******* ** ***** ********** *******.

Risks ******* ******* ***** **** ** **********

** * **** ***** ** ***********.** ************* **********, ******* *********** ***** ******* *** Sam ***** ****** *** * *********** of ***** ******** ***** ** ********* to *** **** * **** **** from *** **********, ******* ** ****** of *** ***** ** *** ****** management ********:

Full ******* *****

*** ***** ********** ** ****** *** full ***** ***** ** *** **********, we ******** ** *****:

********* ** *************** ********, *** ***********:

"****** **** ************, ** **** **** dive **** *** ******** ******* ******* including *** ********** ***** **** ** bypassing *** **********, ********-***** ******** ******, and **************. ** **** ******** *** use ** ********* *** ******* * detailed *********** ** *** * ********** zero-day ***************, ********** ***-**-*** ************ ***** malware ** ******** ** ******* ****** functionality. ** ********* *** **** **** an ********** **** **** ********* **** system *******, ********* ***** ******** ******* triggering *** ******** *************."

******* ** * **-***** ******** ******** company, ******** **** *,*** ********* ** ********.

Broad ******* ******, *** **** *******

***** ********* ********* ** ********** ***********'* ******* *********, ********* **** ******* *** *********, the ****** ******* ** *** ****** system ***** ********** ********.

*** ******* ** **** ******* *****+ ******* ********, ************ ******* ***** **-****** *********** (Red *****) *** *** ***** ****** (Green *****) ********* ********, ******, *******, Genetec, *******, **** *******, *** ***.

******** ******* ******** ** ******, ******, LP2500, ******, *** ****** ********** ******.

Eight *************** *********

****'* ******** ******* * ***************, ******* **** ** * *** of "********** ********* *******, ****** ********, Classic ****** ********, **** *********, ** Command *********" *****.

* ** *** *************** *** ***** risks ** *.* ** *****, *** only * ** *** * ** ranked ***** **** *.*.

IPVM Image

Risk ******** ********* ****** & ****

*** ***** ** *************** ** * number ** ***** *****-***** "******, ****** ******** *************** ** * relatively ****** **********".

*******, ********** *** *************** ******** ***** network ****** ** *** ***********, *** takes **** ** ***** ******** ******* exploit ******* *** ******* "******* *********** *** **** *********"** ******* **** ** **** *****.

******* ** *** ********* ******, ***** controller ******, *** **** ****** ** execute ***** ********, ** *** *** external ******** ******** ****** **** ** be *** *** **** ****** ** be **** ** ******** *** *********** skilled *******.

**** *** *** ****** ***** ***************.

HID ********

*** ********* ** ****'* ******* *** comment ********** *** ***** *** ****** that ******** **** ****** ** ******* firmware:

** **** ******** ***** * ************* vulnerability ****** ******** ** ******* ***********.
** ***** **:
    • ******* *** ******* *** ****** ********
    • ********* ***** **********
    • ****** *** ******** *** *** *** partners (********* ***)

** *********** ******** **** *** *** partners, ***** ******** **** *********** **** their ******* ** ****** *** ******** fix ***** ** ***** ******** *********.

HID *** *** ********

**** ********* ***** *** *** ******* in ***** ****, **** **** ************** ***** ******** ******** ******* *** to '*********' ***************.

** **** ****, *** ******** *** vague *** *** ******* ******** *** public ********** ** ************ ** *** issues:

** **** **** ************* **** ******* partners ** ************ ******** ******** ********. We ******** ** ******* *** ******** with ********** ***** *** ***** *********.

** ******** ******* ******** ******** *** are ********* ** ********** **** **** their *********** ** *** *********** ******** security ********. ******* ** ** **** platform **** * **** ***** ** partners, **** **** ***** *** *********** schedule *** ************* ************* ********. ******** will **** ** ******* *** ** will ******** ** **** ******* *** customers ** ******* *** ******* *** any ****** ******* ******* ***** ********** dealer ********.

Updated ******** ********* **** ********

*** ******* ******** ** ********* ******* firmware *** ******* ******** ** **** vulnerability.

*******, ***** ******* *** *********** ** partners, *** ******* ***** *** ******** to ***** *******. *** *******,*******'* ******* ******* ******** *** ********** ***** ***/******* *****, *** ******* will *** ** ********* ******* ******** to *****.

Disable ******* ********** *********

*******'* ***** **** ********* * ********** step ** ******* *******'* ******* *** server ** ********** ***********. ***** *** webserver ** ** ********* ******* *** the ******* ************ ** *** ********** and *** ****** ** *********** *** troubleshooting, ** ** *** ********* ****** once *** ****** ****** ** ***********.

******* ***** ******** ******* ******** ******* in ** ***********,******* ******* ********* ** ** ******** risks:

IPVM Image

HID ********

** ********* *****:

*******, *********** ******* ******** ** ******* onboard *** ******* ******** ******** ****** to *** ********** ***** *** ******** a *** ******, ***** *** ***** impractical *** ****** *** ***** *******.

*** ********* **** ** *** *** case, *** **** *** ******* *** only ****** ** ********** ********** **** disabled:

** **** ******* ********* *** ******* Security ***************, *** *** * ******* that ** ******* *** *** ****** you ****** ******** ****** ** *** board ** **** * *** ******. This ** *** *******. *** **** need ** *** *** *** ****** to **-****** *** *** ****** ** it *** ********. ** *******, *** just **** ****** ****** ** *** controller *** ***** ** ****** *** checkbox ** *** ***** ***** *** reboot *** **********.

Comments (19)
UE
Undisclosed End User #1
Jun 13, 2022

***** *** ****. *** ***** ***** clearly ** * ************* **** **** the ******(*) **** *** ***** ************ I **** ** ** *** ******* is ********** *** ******* *** ****** it ***** **** ****** *** ** it.

*. ***** ***** ***** ** *** they ******* *** *******, ****** *** first ****** "*****" ** ************ ***** holder *** ********** ******. ***** ** who *** ****** '*** *****' *****, so *** * ******* ****** ** begin ****.

*. *** **** ****** ** *** Web ** ** *** ***** ** unless *** ******* *** **** ******** policies ** ***** **** ** ***** be ****** *** ********. **** *** need *** ** ********* ** *** devices ** ***** **** ** *** and *** *** *******. **** *** report ****, *** **** ** **** on **-******* ***** ***. (******* ******)

*. ***** ******* *** * ******** update (***********)*** *** *******

*. * *** ***** ** ** different ***** **** ** *** **** a ******* ********.

(6)
(6)
Avatar
Christopher Halvorson
Jun 13, 2022
@securitybaer • IPVMU Certified

******* ****** *****'* ****** *** **** for ******** **** ************* *******, ********** when *** **** ** ******* **** are ***** ******* ****** *** ******* that *** ** ********** ***** ******* (100's ** *****, ****'* ** *********); making ******* ****** * **** ********* option **** ** ***** ** ********* perimeter's. *** ** ****** ***..

** *** ** ********* **** ** get **** * ******* ********. ***'** 100% *******. **** ***** *** **** tools ** ****** **** ***** ****** to *****-*******, ***. *** ******* *******'* be **** ***** ******* **** ****** a ****** **** ****** *** ***** open *****. *** ** *** ** Trellix ** ***** ** ***** ******* can ** ****... *** ** ***** grows, **** *** **** ****** *** do ****.

******* **** ****, *** ********* **** IPVM ** **** ********** ** *** entirety ** *** ********, ** *******'* comment ******* **** **** *** ** doesn't **** **********. ***'** ** *********** manufacturer, *** ****** ** ******** *** this **** *** ** ******* ***** phone **** *** *** *****.

(9)
(2)
UE
Undisclosed End User #1
Jun 13, 2022

*****,

* ***** ***% ***** *** ******** of *** ******* *** ********* *** not ****** ** ******** ** ** all. * **** ***** *** ***** they ****** ** ** **** *** it *** **** ** ***% **, I *** *** ******* ******* **** what ** ****. *** ***** *** video *** ** *** ********* ****** walks **** ******** ****** *** ** this ************* *******. **** ******.

************* *** ******** ******** ** ** business, **'* *** * **** ** living. * ** *** ** ******* this **** ** ********* **** ***/**, specially ********** ****** *******. *** ***** OT ******** ** **** ** ********, this ** *** ** ********* **** for **** ** *** *******-**** ********** | ****.

**** ** *** * ************ ******** posture ** *** ** *** ** manage *** ******** ***** **** ** potential ******* ****** **** **** *****. It ***** *** ******* ** **** technologies *** ***** ******* ******** ** keep *** *** ****** ***.

(4)
(3)
U
Undisclosed #5
Jun 13, 2022

*. * *** ***** ** ** different ***** **** ** *** **** a ******* ********.

IPVM Image

(23)
UM
Undisclosed Manufacturer #7
Jun 14, 2022

**** **** ** ***** ** * certain ***** **** ** **** ** eyes **** 🙄.

* **** **** ** **** ********* before, **** ******* ***** **** **** flaw **** ** *****. ** ******* response *** ******* "****...**...**** ** ********, but****** *** **** ******** ****** ** the ******* *** *** *****,****** ***'** *****-***** *** **** * thing ** *** ** *** ********, and****** *** **** *** *********** ** ********** ****. **** ****!"

*** ******* ** **** **** ************ and **-****** **** ******** *************** **** ** ****** ********* *****, in *********** **********. 😬

(3)
UI
Undisclosed Integrator #2
Jun 13, 2022

**** ** ***** ***, ******* **** an ***** ******** ** ******* ********** firmware ** *.**.*. ** **** *** same ******* ** ********* ***?

Avatar
Brian Rhodes
Jun 13, 2022
IPVMU Certified

*'** *** ******* *** ****** ****.

Avatar
Brian Rhodes
Jun 14, 2022
IPVMU Certified

******* *********:

**** ** * *** ******** ***** from ******* **** ******* *** ** their *** ********.

• ***** *** ********* *** *** the ****** (******* *.**.*)

***** **** ** ********* ** *** first **** **** ** **** **** for *** *** (******* *.**.*)

**** **** *****:

*** *** ** *** ****** *** just ****** ** *** ****** ** Saturday ** ** **** **** ** and ******* ** ** ******* ** possible.

(2)
UI
Undisclosed Integrator #2
Jun 14, 2022

****** *****

UE
Undisclosed End User #1
Jun 14, 2022

**** * **** *********** **** ** the **** *******/*** *** ****** *** in *** *** ******** ** *****/**. There *** **+ ***** *** ******** that *** *** **** ******* *** have *** **** **** ******** **** the **** *************.

****** **** *** ** ******* *** all ** ****? * **** **** each *** ** ** *** ******** fixes *** ******** ***** ******** *** why **** *****/** **** *** *** of *** **** ** ***** ****? While **** *** **** ***** ******* sauce ** *** ** *** **** Mercury/HID ******** *** ******* ******** ** at *** *** ************ ***** *******?

U
Undisclosed #3
Jun 13, 2022

"*** *** **** *** ***** ***** room?"

** **** ******.

(4)
U
Undisclosed #4
Jun 13, 2022

* ***** **** **** *********** *** UDM1..... ******** *** ************* ** * good *****, *** **'* *** **** to *******.

**'* ** ******* **** ***** ********* mediation **** ******** ***** - ***...

*** ****** ** ******** **** ********* those *****-***** ****** **** **** ***** about ** *** * **** ****.

** ***** *** *************

UE
Undisclosed End User #6
Jun 13, 2022

*** ******* **** ** ****** ** older ** *********** **** **** **** vulnerability? ******* ****'* ******* ******** **** version *.**.* *** *** ******, ****** and ******, ** *** ***** *************** exist ** *** *** ********? *** CVEs ***** **** *** ****** ** vulnerable ** ******** ***** ** *.**.*, but ******* ***** *** ***** ** models.

**** **** **** **** **** *** not **********, ** ****** **** **** weren't ******?

Avatar
Brian Rhodes
Jun 13, 2022
IPVMU Certified

** *** ** ******, **** *** EP-4502 ** **********. *** ***** ** models *** ***. * **** **** told **** ** ******* *** **-**** runs ***** ***** *** ****** ** not.

(2)
(1)
UE
Undisclosed End User #6
Jun 13, 2022

** **** ******** ** *** ** the ******** *************? ** ****** * understand *** **** ** ****** *** case *** *'* *** ****** * don't ******* ***, *** *'* **** to *** * ***** ******* ********** ruling *** *************** ** *** ***** EP ****.

(1)
VT
Vicente Tormo
Jun 15, 2022

***** *******, *** ******* ******* *** version ** ******** **** ******** *** fix?

Avatar
Brian Rhodes
Jun 15, 2022
IPVMU Certified

**** ********. *** ***** ******** ************ varies ****** ********, *** ******* ***** their *** ******* ****** **** **** not ********* ********* ** ***'*.

**** **** ****, **** ** *******'*:

  • ****** (******* *.**.*)
  • *** (******* *.**.*)
(4)
Avatar
Brian Rhodes
Jun 16, 2022
IPVMU Certified

*** ********* **** **** ********:

** **** ******* ********* *** ******* Security ***************, *** *** * ******* that ** ******* *** *** ****** you ****** ******** ****** ** *** board ** **** * *** ******. This ** *** *******. *** **** need ** *** *** *** ****** to **-****** *** *** ****** ** it *** ********. ** *******, *** just **** ****** ****** ** *** controller *** ***** ** ****** *** checkbox *** ****** *** **********.

** **** ********* *** **** *****.

Avatar
Steve Bell
Jun 21, 2022

** * ****** ** ****** ******* systems *** ** *** *********** ******** risks ** **** ** **** * cyber ******** ******** ***** ** *** of *** ******** *****. ** **** set ** ********* ** **** *** likelihood ** **** ********* ** * minimum. ***** ******** ** ****** ******** and *** *********, *********** ***** *** processes ** **** **, ** ** 20 ***** ***, **** ** **** initially ********** *** ******** *** ******** that ** *** ***** *** ****** products, **** ***** ** *** *** back **** *** **** *** *** very ****** ***** ******** ******* *** researchers **** **** *************** **** *** now ** *********.

******* ***** *** **** ** ********* our ***** *************** ** *** *** system ** *** * *** ** our ********* ******** **** ***** **** we **** ********** **** *** ******* was *** *******. *** ** *** other **** ** **** ********* *** many ** *** ********* *** *********** sharing **** *********** ** **** **** could ****** *** **** ***** ******** the ***** *** ***** ********. ** decided ** ** * **** ******* and ******** *** ***** ******** ***** so **** ** ***** ****** * CNA (*** ********* *********) ** *********** manage *** ************* ** *** ***** vulnerabilities. ****** * **** ** *** incident ******** ** **** ********** ****** I **** ** ******* ******* *** also ****** ** ***** *** ******** process ******* ** **** ** *** CVE ******* ** **** ****** * CNA.

*** ********* ** **** *** ** to ** * *********** ******, **** a ***** ******** ***********, **** ********:

  • ** **** ******* ** ********* ** all ** *** ******** *********** ******, it ** ***** ** **** *** all *** *** ** *** ***’* we **** ********* *** *************** ***** by *** *** ******.
  • ** ******* * ***** ***’* ******* goal ** ********* *** ***** ********.
  • *** *********** *** ********** ** ************* undergo * **** ******** ****** ** the ****** *****.
  • ** **** ********** **** ********** ** could ****** **** ****** ****** *** believe ** ** ********** **** ** enlist ** ******** ******** (*** ****) company ** ****** *** ***** *** subsystems, *************, *** ******** ****** ** release. ** **** **** ***** *** access ** *** **** *** ********* them ** ******** *** **** **.
  • ** **** **** ***** ************* **** a ***** ** ***** *********** **** individuals *** ********* *** **** ******** them ******** *** ******** *** *** them **** **** **.
  • ********** ********* *** ********** *********, *** we **** ******** ********* ********** ** ISO27001, *** **** **** ** *** roadmap **** *** **** ** **** cloud ***** ********. *** ***** *** of *********** **** **** *********** ** much ** *** ***** ************ *** those ** *** ********** ******** ********** in *** * **** *******:
    • **** ** ********** ******** ***** ******** in *********
    • * *** ********** ***** **** ****** control ******** *** *** *** **** required *** ********** ** *** ******* to **** ** *******.* *********.
    • *** *** ******* ********** **** * intruder ***** ********. **** **** ********* is * *** ******* *******.
    • *** ** **** (****** *** ********** of ******** **************) **** * ******** called ***** (***** ********* *** ******** Security *******). ** **** ******** ******** compliance ** *** **** ******* ** this ********. * ******* **** **** standard ***** ** * ***** **** for *** ******* ** *** ********.***** ********* ** ******** ******** ******* | ****. *** ******* **** **** ******** all *** *********** **** ******* *** vendor ** ******* ** **** *** products ******. ** ******* **** **** people ****** ** **** ** ****** to ** *** *********** ** **** mitigations **** **** ******* ****** ********, which **** **** **** **** * common ***** ** ***************. ***** **** not **** ** *** ** *** things **** ****** ******** *** ******** us ** ******** *** ******* **** we **** ********* *** **** ** buffer ********.

** ****** ** ***% ******* **** we **** *** **** ** ******** like ******* *** *** (*******) *** going ******* ** *** ******, **** impact *** ** **** *********, ** new ***** ****** ******* *** *********** evolving. *** ** ******* ** **** robust ********* *** ***** *** * great ******* **** **** ** * responsible ******.

(3)