CVE-2022-31479 – CVE-2022-31479 allows unauthenticated attackers... (How to Fix)

Q: What is the severity of CVE-2022-31479?

CVE-2022-31479 has a CVSS score of 9.6 (CRITICAL). CVE-2022-31479 allows unauthenticated attackers to execute arbitrary shell commands by injecting malicious hostnames into HID Mercury Intelligent Controllers. This enables remote code execution, configuration modification, and persistent access. Affected devices include LP1501, LP1502, LP2500, LP4502, and EP4502 controllers with vulnerable firmware versions.

📋 TL;DR

CVE-2022-31479 allows unauthenticated attackers to execute arbitrary shell commands by injecting malicious hostnames into HID Mercury Intelligent Controllers. This enables remote code execution, configuration modification, and persistent access. Affected devices include LP1501, LP1502, LP2500, LP4502, and EP4502 controllers with vulnerable firmware versions.

💻 Affected Systems

Products:

HID Mercury Intelligent Controller LP1501
HID Mercury Intelligent Controller LP1502
HID Mercury Intelligent Controller LP2500
HID Mercury Intelligent Controller LP4502
HID Mercury Intelligent Controller EP4502

Versions: LP series: firmware versions prior to 1.302; EP series: firmware versions prior to 1.296

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attacker to monitor all communications, modify relays and configuration files, install persistent backdoors, and potentially pivot to other network systems.

🟠

Likely Case

Attacker gains remote shell access to modify device configuration, disrupt operations, and maintain persistence for future attacks.

🟢

If Mitigated

With proper network segmentation and access controls, impact limited to isolated device with no lateral movement.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation allows direct attack from internet if devices are exposed.

🏢 Internal Only: HIGH - Even internally, unauthenticated access means any compromised internal system can exploit these devices.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted hostname updates to vulnerable devices. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: LP series: 1.302 or later; EP series: 1.296 or later

Vendor Advisory: https://www.corporate.carrier.com/product-security/advisories-resources/

Restart Required: Yes

Instructions:

1. Download firmware update from HID/Carrier support portal. 2. Backup current configuration. 3. Apply firmware update via management interface. 4. Reboot device. 5. Verify firmware version.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected controllers in separate VLAN with strict firewall rules preventing external access to management interfaces.

Access Control Lists

all

Implement network ACLs to restrict which systems can communicate with controller management interfaces.

🧯 If You Can't Patch

Implement strict network segmentation to isolate controllers from untrusted networks
Monitor for unusual hostname changes or unexpected configuration modifications

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface or SSH: LP series < 1.302 or EP series < 1.296 indicates vulnerability.

Check Version:

Check via web interface at System > About or via SSH using vendor-specific commands

Verify Fix Applied:

Verify firmware version shows LP series >= 1.302 or EP series >= 1.296 after update.

📡 Detection & Monitoring

Log Indicators:

Unusual hostname changes
Unexpected configuration modifications
Multiple failed authentication attempts followed by successful configuration changes

Network Indicators:

Unusual traffic patterns to controller management ports
Hostname update requests from unexpected sources

SIEM Query:

source_ip IN (controller_ips) AND (event_type="configuration_change" OR event_type="hostname_update")

📊 Metadata

CVE ID: CVE-2022-31479

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-693

Published: June 6, 2022

Last Updated: November 21, 2024

🔗 References

https://www.corporate.carrier.com/product-security/advisories-resources/ Vendor Advisory
https://www.corporate.carrier.com/product-security/advisories-resources/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31479, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Ep4502 Firmware by Hidglobal

Lenels2 Lnl 4420 Firmware by Carrier

Lenels2 Lnl X2210 Firmware by Carrier

Lenels2 Lnl X2220 Firmware by Carrier

Lenels2 Lnl X3300 Firmware by Carrier

Lenels2 Lnl X4420 Firmware by Carrier

Lenels2 S2 Lp 1501 Firmware by Carrier

Lenels2 S2 Lp 1502 Firmware by Carrier

Lenels2 S2 Lp 2500 Firmware by Carrier

Lenels2 S2 Lp 4502 Firmware by Carrier

Lp1501 Firmware by Hidglobal

Lp1502 Firmware by Hidglobal

Lp2500 Firmware by Hidglobal

Lp4502 Firmware by Hidglobal