Multiple Vulnerabilities Present In Carrier’s LenelS2 NetBox

Vulnerabilities could be potentially exploited by attackers for arbitrary remote code execution, while posing the highest risks to businesses and government entities.

by Alan J May 31st, 2024

Share on LinkedInShare on Twitter

Carrier has issued a serious product security advisory confirming the existence of several vulnerabilities in its LenelS2 NetBox access control and event monitoring platform. These vulnerabilities expose the monitoring system to potential compromise, such as remote code execution.

The reported vulnerabilities are significant, as NetBox is often used to guard entries at critical facilities such as government-controlled sites and major corporations.

Multiple Vulnerabilities in Carrier’s LenelS2 NetBox

Three vulnerabilities were identified in Carrier’s product security advisory for NetBox. The most critical (CVE-2024-2420) of these vulnerabilities could potentially enable an attacker to circumvent authentication requirements and obtain elevated permissions, presenting a serious risk to enterprises which deploy the tool.

Source: Carrier Product Security Advisory

Successful compromise could allow an attacker to install programs, view, edit, modify data, delete data from the platform or create new user accounts with full privileges. However, this depends on the access level of accounts that had been compromised in the event of an attack. The impact of a potential attack could be lower on systems configured with low level of user access.

The vulnerabilities affect all LenelS2 NetBox versions prior to 5.6.2. The identified vulnerabilities are as follows:

  • CVE-2024-2420 (CVSS v3.1 Base Score 9.8, Critical): A vulnerability involving a hard-coded password in the system that could permit an attacker to bypass authentication requirements.
  • CVE-2024-2421 (CVSS v3.1 Base Score 9.1, Critical): An unauthenticated remote code execution vulnerability that could permit an attacker with elevated permissions to run malicious commands
  • CVE-2024-2422 (CVSS v3.1 Base Score 8.8, High): An authenticated remote code execution vulnerability that could permit an attacker to execute malicious commands.

The Center of Internet Security stated that these vulnerabilities pose higher risks to large and medium government or business entities, while posing lower risks to small businesses and individual home owners.

Source: cisecurity.org

Vulnerability Remediation

Carrier has attempted to address these vulnerabilities in its latest release of NetBox version 5.6.2. Carrier has advised customers to immediately upgrade to the latest release version by reaching out to their authorized NetBox installer.

As mitigation, Carrier also advised customers to follow the recommended deployment guidelines, which are detailed in its NetBox hardening guide accessible through NetBox’s built-in help menu.

The Center of Internet Security has advised customers to take additional measures such as applying appropriate updates to NetBox systems, applying the principle of least privilege to user accounts, rigorous scanning of vulnerabilities and isolating critical systems, functions, or resources.

The lack of basic security safeguards along with poor code practices such as the presence of hard-coded authentication tokens and improper input sanitization raises concerns about the usage of NetBox to guard physical access to important business and government areas or critical infrastructure.

While there are no confirmed reports of the NetBox vulnerabilities being exploited in the wild, the severity of these vulnerabilities mark them as an important security consideration as countless organizations could be at risk of devastating attacks.


Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button