CVE-2022-31483
📋 TL;DR
This is a path traversal vulnerability in HID Mercury Intelligent Controllers that allows authenticated attackers to upload files anywhere on the filesystem. Attackers can overwrite system files and install persistent backdoors to gain root access. Affected products include LP1501, LP1502, LP2500, LP4502, and EP4502 controllers with firmware versions before 1.271.
💻 Affected Systems
- HID Mercury Intelligent Controller LP1501
- HID Mercury Intelligent Controller LP1502
- HID Mercury Intelligent Controller LP2500
- HID Mercury Intelligent Controller LP4502
- HID Mercury Intelligent Controller EP4502
📦 What is this software?
Ep4502 Firmware by Hidglobal
Lp1501 Firmware by Hidglobal
Lp1502 Firmware by Hidglobal
Lp2500 Firmware by Hidglobal
Lp4502 Firmware by Hidglobal
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with root-level remote access, allowing attackers to disable security controls, steal credentials, and pivot to other network systems.
Likely Case
Persistence establishment through startup service installation, enabling ongoing remote access and potential data exfiltration from the controller system.
If Mitigated
Limited impact with proper network segmentation and file integrity monitoring, potentially detecting unauthorized file modifications.
🎯 Exploit Status
Exploitation requires authenticated access but uses simple path traversal techniques that are well-understood by attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware version 1.271 or later
Vendor Advisory: https://www.corporate.carrier.com/product-security/advisories-resources/
Restart Required: Yes
Instructions:
1. Download firmware version 1.271 or later from HID/Carrier support portal. 2. Backup current configuration. 3. Upload firmware via web interface. 4. Apply firmware update. 5. Reboot controller. 6. Verify firmware version.
🔧 Temporary Workarounds
Restrict File Upload Functionality
allDisable or restrict file upload features in controller configuration if not required for operations.
Implement File Integrity Monitoring
linuxMonitor critical system directories for unauthorized file modifications using tools like AIDE or Tripwire.
aide --init
aide --check
🧯 If You Can't Patch
- Implement strict network segmentation to isolate controllers from critical networks
- Enforce strong authentication policies and monitor for suspicious file upload activities
🔍 How to Verify
Check if Vulnerable:
Check firmware version via controller web interface or SSH: cat /etc/version or similar version fileCheck Version:
cat /proc/version || cat /etc/*release || find / -name '*version*' -type f | xargs catVerify Fix Applied:
Verify firmware version is 1.271 or higher and test file upload functionality with path traversal attempts📡 Detection & Monitoring
Log Indicators:
- File upload logs containing '..' or '/' sequences
- Unauthorized file modifications in system directories
- New service installations in /etc/init.d or similar
Network Indicators:
- Unusual outbound connections from controller to external IPs
- SSH or reverse shell connections originating from controller
SIEM Query:
source="controller_logs" AND ("file upload" AND (".." OR "/")) OR ("service install" OR "startup script")