Mercury Red Board 2022 10.0 Vulnerability Examined
HID's Mercury is abruptly EOLing their red boards, with a partner citing "reducing latency and vulnerabilities," but how have red boards been exploited?
In this report, based on IPVM examining the original researcher's findings, LenelS2's disclosure, and feedback from HID on this, we examine the risks of this 2022 disclosure never disclosed directly by HID.
Executive *******
************* ***** ******* *** ****** **** verify/update ***** ******** ** *.**.* (**** 2022 *******) ** ***** ** ******** replacing **** **** **** ****** ************, such ** ***** ******, ** ******** remote **** ********* ***************, ***** ***** access ** *** **** ****** *** PACS.
*** *** *************, ********** ********* ** June ****, ** ******* *** ****** allows ********* ** ******* ************ ******** remotely, *********** ****** ********* ****** ** any ****. *** *******, ******** ** DEFCON **, ******** ********* ************** ******* a ******* ** **** *** **** using ******* ********* *************** ** ******* unauthorized ********. **** ** ******** ** sending ********* ******* **** ******** ** the *** ******, ***** ********** ********* the ******* **, ******** *** ******** to ********** *** ****** ******* ******, including ********* ***** ********.
Only ******* ****** **********
***** ******* *** **+ *** ********, we **** ***** ******* ********** **** *******'* *******. ** ** ******** **** **** of *** **** ******** ********* ********* but *** *** ******* ** ********.
**********, *** *** ******** ***** ***** boards ***** ************* ** ******** ** this ************* ******* *********** ******** / patching.
Some ******* ***** **********
***** *********** ********* ***** *************** ** June **** *** ******** ***** ******** in ****** ** (******** *****), **** believes * *********** ********** ** ****** are ***** **********. ** ***-*****-********* ****** require ***********/*********** ** ****** *** ******** manually, ***** *** **** *** *** site ******* ** *** **** *** years **** ** ********** ** **** exploit, ******** ****** ****** ** ***** facilities.
*** **** **** **** *** ******* OEM ****** **** *** ******** *** vulnerable.
******* ************ *** ******** *** *** of *** ****, ** *** *************** and ******* ***** **** ********** ** all ******* ****.
*** ***** ** **** *** ******* or ******* *** ************ ** *******, and ******** *** *********** *** ********* firmware *****.
******* **** *** ******* ** ******* the ************ ** ******* ** ******* boards.
*** ***** ***, ** **** ******** of ************* *************** ****** ******** ******* on ******* ** *** ****** *********** Controllers. ** **** ***** ******* ** confirm *** ******* *** ****** ********, validated ***** **********, *** ****** *** firmware *** *** *** ******** ** consume. ***** ******** **** *********** **** their ******* ** ****** *** ******** fix ***** ** ***** ********** *********.
Remote **** ********* *******
* *** **** ** *** ******* is ********* ************** *** * ******/******* ID ***********. *********** ********* *** *** server's ************ ********** *********: ***** *** requests ********* ****** ****** **********, **** requests *** ***. **** ************* ******* attackers ** ***** *** ****** ****** with *** ***** *** *** ****** erroneously ******** ** *****, ************ ************ access.
*** *********** ******** ** "******* *****," a ******** ******* ******** *************** ******** to ********** *** ******. ** ********* together ***** **********, ********* *** ******* ID **** *** ******* *********, **** orchestrated * ****** ** ******* *** unauthorized ****** *******.
*********** ******** "**********" ** *** **** request (****** * *** *) ** bypass *** *********’* ****** ******* **********, failing ** ******** ******* *** *** POST ******** *************.
*** ************* **** **** ("\*", ***** in *) *** ******* ********* ** bypass *** *** ** ******.
**** *******, *******, ******** * ****** of *** ******** ***** ** ******* the *******, ******* *** ********* **** injected **** **** *** ***** *** system ********, ******** *** ******** ** remain ********** ***** *** ********* *****. A ******** ************* ** **** ** trigger *** ****** ********.
Remote ****** ** ******
****** ****** ** *** ****** ** crucial *** *** ******* ********* ** take ******. *** ******** *** ****** using ***** ******** (**<=*.***) ******** ** inherent ****** ******** ***** * ******* crash-dumps *** ******'* ****** **** * file *** *********. ************, ** ********* a ********** "******()" ******** ****** * CGI **********, ********* ***** ************ ***** the *******. **** ***** ***** ******** a **** **** *** ******* * script **** ********* *** ****** *******, hence ******** ********** *** *****.
*** **** **** ********* ****** **** process ** ********* ***** *** **** "MeRcUrY" ** *** ***. **** ****** cipher ************** ** ********** *** ******, with ******* ***** * ****** ***.
***** *** *********** **** **** ****** to ****** *** *****, *** "******()" vulnerability—a ******* ****** ********—***** *********** ** further ********* *** ********* ********* *********, escalating *** *******'* ****** ** * full ****** **** ********* (***).
*** *** ***** ******** ******** (**<=*.***), the *********** **** ** *************** *** script, "************.***", ***** ******* **** ******* to *** *****—* ******** ********* **** for ******** *******. *********** ******** *** signature ************ ******* ************ *** ******** update ********* ** *** **** *******.
** ************ *** ******** **** ** include ** ******* ********* ****, **** crafted * ******-******** ****** **** ***** fail *** ********* ***** *** ***** the ******, ******* ** * ******.
Custom ******* *** **** *******
*********** ******* * ****** ******* ** open *** **** ***** *** **** relay *** *****-******** ** ** **** with *** *****. **** *** *** final **** ** *** *******, ******** access ** *** ***** ********* ** the ********* *****.
Eight **** ********
*** ****** **** ********* ************* *** ******* *** ****** (* and ** ******) **** ** ******* consists ** ***** ****, **** **** v3 ****** ******* **** *.* ** 10.0. *** ******** ******* ******* * critical ******** ***** (**.*/**.*), **** ***** of ***** **** ****** ******** ******** (>9.0) *** **** ****** **** ******** (>7.0).
*** **** **** ** ** *** a *** ********* ********* *** ***** directly **** **** ** ********** ****.
**, *** ** *** * ********* authority, ******** ** ** ******* ****. When ** ******* ****, ** **** directly **** **** *** ***** ********** and ************ ********.
Users ****** ******/****** ********
***** *** ******** ** *****-******* ****** can ** ******* ***** *** ********** software, ***-*****-******* ****** **** ** ** updated ************. **** ******* * *********** portion ** ***-***** ****** *** ** be *******, ** ******* ******* ***** rolls ** ***** ** ******** **** board. **** *** ******** ******** ** these ***************, ******** ****** ****** *** attackers, ***** ****** ****** ***** ******** versions *** ******, ** *********, ** the ****** *******.