CVE-2022-31481
📋 TL;DR
An unauthenticated buffer overflow vulnerability in HID Mercury Intelligent Controllers allows attackers to execute arbitrary code by sending specially crafted update files. This affects LP1501, LP1502, LP2500, LP4502, and EP4502 controllers with vulnerable firmware versions. Successful exploitation gives attackers full device control including monitoring communications, modifying relays, changing configurations, or crashing devices.
💻 Affected Systems
- HID Mercury Intelligent Controller LP1501
- HID Mercury Intelligent Controller LP1502
- HID Mercury Intelligent Controller LP2500
- HID Mercury Intelligent Controller LP4502
- HID Mercury Intelligent Controller EP4502
📦 What is this software?
Ep4502 Firmware by Hidglobal
Lp1501 Firmware by Hidglobal
Lp1502 Firmware by Hidglobal
Lp2500 Firmware by Hidglobal
Lp4502 Firmware by Hidglobal
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to monitor all communications, modify physical relay states, alter configurations, install persistent backdoors, or cause critical system failures affecting physical security systems.
Likely Case
Attackers gain remote code execution to monitor device communications, modify configurations, and potentially disrupt physical access control systems.
If Mitigated
With proper network segmentation and access controls, impact limited to isolated network segments with no critical system access.
🎯 Exploit Status
Unauthenticated exploitation via crafted update files makes this easily exploitable once details are known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: LP series: 1.302+, EP series: 1.296+
Vendor Advisory: https://www.corporate.carrier.com/product-security/advisories-resources/
Restart Required: Yes
Instructions:
1. Download latest firmware from HID/Carrier support portal. 2. Backup current configuration. 3. Upload firmware update via web interface or management software. 4. Reboot device. 5. Verify firmware version after reboot.
🔧 Temporary Workarounds
Network Segmentation
allIsolate controllers in dedicated VLAN with strict firewall rules blocking external access to update ports.
Access Control Lists
allImplement IP-based restrictions allowing only authorized management systems to communicate with controllers.
🧯 If You Can't Patch
- Segment network to isolate controllers from untrusted networks
- Implement strict firewall rules blocking all unnecessary inbound traffic to controller management interfaces
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface or management software. LP series versions below 1.302 and EP series versions below 1.296 are vulnerable.Check Version:
Check via web interface at http://[controller-ip]/ or using Mercury Enterprise Controller softwareVerify Fix Applied:
Verify firmware version shows LP series 1.302+ or EP series 1.296+ after update.📡 Detection & Monitoring
Log Indicators:
- Unexpected firmware update attempts
- Multiple failed update attempts from unauthorized sources
- Device configuration changes without authorized maintenance windows
Network Indicators:
- Unusual traffic to controller update ports (typically 80/443)
- Firmware update packets from unexpected source IPs
- Large file transfers to controller management interfaces
SIEM Query:
source_ip=* AND dest_port IN (80,443) AND dest_ip IN (controller_ips) AND bytes_transferred > 1000000 AND uri_path CONTAINS 'update' OR 'firmware'