Linear eMerge E3 access controller actively being exploited
Linear eMerge E3:
Nortek Security & Control, LLC (NSC) is a leader in wireless security, home automation, and personal safety systems and devices. Nortek Security and Control LLC’s Linear eMerge E3 is an access controller that specifies which doors a person can use to enter and exit designated places at specified times. It runs on embedded Linux Operating System and the system can be managed from a browser via embedded web server. These access systems are used for commercial, industrial, banking, medical, retail, hospitality, and other businesses where users need to secure their facilities.
Vulnerability | CVE-2019-7256:
A Command Injection vulnerability has been reported in eMerge E3-series access controller. This issue is triggered due to insufficient sanitizing of user-supplied inputs to a PHP function allowing arbitrary command execution with root privileges. A remote unauthenticated attacker can exploit this to execute arbitrary commands within the context of the application, via a crafted HTTP request.
SonicWall Capture Labs Threat Research team observe huge hits on our firewalls that attempt to exploit the command injection vulnerability with the below HTTP request.
Once the vulnerability is exploited successfully on the target, the following shell commands will be executed on the target system:
The above shell commands are used to download the malware and execute it on the exploited systems.
The malware then accepts commands from its C2 server to conduct various types of DoS attacks against any given target.
Linear eMerge Elite/Essential Firmware version 1.00-06
As per Applied Risk’s research report, a total number of 2,375 Internet-accessible eMerge devices are listed by the Shodan search engine; 600 for eMerge50P and 1775 for eMerge E3.
A quick search on Shodan exposes over 2000 linear devices.
An attacker can leverage an OS command injection vulnerability to alter or corrupt a database, steal customer records, launch a distributed denial of service (DDoS) attack or even compromise other parts of the hosting infrastructure. The resulting damage is determined by the user authorizations and security protections that the organization has in place. In addition, attackers may retain access to the systems even after an organization has detected and fixed the underlying vulnerability.
No patch available yet.
The exploitation is known to be easy, given the proof of concept code. The attack may be launched remotely and no form of authentication is required for exploitation.
In order to prevent this exploit, it may require blocking access to the vulnerable PHP script until a security patch is out or allow only a whitelist of permitted values.
After discovering that an OS command injection attack has taken place, it’s critical to cut off access to the compromised systems from the internal networks.
SonicWALL Capture Labs Threat Research team provides protection against this threat with the following signature:
IPS: 14767 Linear eMerge Remote Code Execution
WAF: 9012 System Command Injection Variant 2
Attackers seem to be actively targeting these devices as we see tens of thousands of hits every day, targeting over 100 countries with the most attacks being observed in the U.S.
We do not find these IP addresses associated with any specific threat actor and most of these are seen crawling the internet, looking for vulnerable services, attempting to brute force and exploit the IoT devices. A good amount of attacks originate from compromised devices like Webcam or DVR that indicates that it’s infected with a Conficker or Mirai-like variant of malware.