Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Exploited Building Access System Vulnerability Patched 5 Years After Disclosure

Vulnerabilities affecting a Nice Linear physical access product, including an exploited flaw, patched five years after their disclosure.

Door access control vulnerabilities

Vulnerabilities affecting Linear building access control products, including a security flaw that has been exploited in the wild, have been patched nearly five years after their initial disclosure.

In May 2019, at SecurityWeek’s ICS Cyber Security Conference, Gjoko Krstic, a researcher who at the time worked for industrial cybersecurity firm Applied Risk, disclosed information on more than 100 vulnerabilities found in building management and access control systems from Nortek, Prima Systems, Optergy, and Computrols.

Nortek stood out at the time because it was the only vendor that had not released patches. It claimed to have released fixes, but Krstic said at the time that the vendor had not given him the opportunity to send over the actual vulnerability details. 

Over 2,500 internet-exposed instances of the company’s Linear eMerge access control product were identified when the vulnerabilities were disclosed in 2019.

Less than one year later, in February 2020, SonicWall reported that one of the vulnerabilities found by Krstic, a critical unauthenticated remote code execution bug tracked as CVE-2019-7256, had been exploited in attacks

The security firm was seeing tens of thousands of daily attempts to exploit the vulnerability in an effort to infect devices with a piece of malware that would allow cybercriminals to launch DDoS attacks. Over 2,300 potentially affected devices had still been exposed to the internet. 

In July 2020, the US cybersecurity agency CISA published an advisory to inform customers that Nortek had released patches for five of the Linear eMerge vulnerabilities found by Krstic, but the list did not include the exploited CVE-2019-7256.

Nortek Security & Control was acquired by smart home, security and building automation solutions firm Nice in 2021, but it apparently took until 2023 for the vulnerabilities to emerge on Nice’s radar. 

Advertisement. Scroll to continue reading.

In May 2023, the vendor published a security bulletin saying that it had become aware that some of the Linear telephone entry (intercom) products had been compromised. However, no CVE identifiers were mentioned in the bulletin. 

The company urged customers to increase network security and remove the impacted system from the internet until a permanent solution is provided. Customers whose devices had been hacked were offered a firmware recovery kit at no cost.

In late June 2023, Nice published a second security bulletin, informing customers of Linear eMerge E3 series door access control products about the availability of a firmware update that should address some unspecified vulnerabilities.

CISA published a new advisory describing a dozen Linear eMerge E3 series vulnerabilities on March 5, 2024, warning that they can allow a remote attacker to gain full system access. All of the security holes have 2019 CVEs and the list includes CVE-2019-7256, the vulnerability exploited in the wild. 

CISA said the latest firmware update should address the flaws, but it’s unclear exactly when the patches were released. Krstic told SecurityWeek on Monday that Nice informed CISA in September 2023 that it had still been working on guidance for securing impacted devices. The researcher said he never received confirmation of a patch being developed or tested.

Contacted by SecurityWeek, Nice said it takes the security of its products very seriously and confirmed releasing firmware patches. 

“After we were notified of the vulnerabilities referenced in the CISA advisory, we immediately initiated an investigation to assess the validity and potential implications for our products and customers,” said Paul Williams, managing director of Nice’s home management business unit.   

“Following our investigation, we learned that these vulnerabilities are limited to telephone entry systems that were deployed outside the protection of a firewall. Furthermore, we have received no reports of sensitive data having been accessed as a result of these issues. 

“To mitigate these vulnerabilities, we immediately alerted our vendors and customers and initiated a remediation plan, including only installing our telephone entry system behind a firewall. We have since released firmware updates specifically designed to fix the vulnerabilities,” Williams added.

Related: Unpatched Sceiner Smart Lock Vulnerabilities Allow Hackers to Open Doors

Related: Axis Door Controller Vulnerability Exposes Facilities to Physical, Cyber Threats

Related: Nexx Ignores Vulnerabilities Allowing Hackers to Remotely Open Garage Doors

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

IoT Security

An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...