Hackers have already compromised more than 2,300 Linear eMerge E3 building access systems exploiting a severe vulnerability that has yet to be fixed.

L inear eMerge E3 smart building access systems designed by N ortek Security & Control (NSC) are affected by a severe vulnerability (CVE-2019-7256) that has yet to be fixed and attackers are actively scanning the internet for vulnerable devices.

Researchers from SonicWall revealed that hackers are attempting to compromise Linear eMerge E3 smart building access systems to recruit them in a DDoS botnet .

The Linear E3 devices are installed in commercial, industrial, banking, medical, retail, hospitality, and other businesses to secure their facilities and manage access to personnel.

In May 2019, security researcher Gjoko Krstic from Applied Risk discovered over 100 vulnerabilities in management and access control systems from four major vendors, including Nortek.

An attacker can exploit the vulnerabilities to gain full control of the vulnerable products and access to the devices connected to them.

Krstic conducted a year-long study on building management (BMS), building automation (BAS) and access control products from Nortek, Prima Systems, Optergy, and Computrols. The experts analyzed several products, including Computrols CBAS-Web, Optergy Proton/Enterprise, Prima FlexAir, and of course two Nortek Linear eMerge products.

Krstic found several types of flaws, including default and hardcoded credentials, command injection, cross-site scripting (XSS), path traversal, unrestricted file upload, privilege escalation, authorization bypass, clear-text storage of passwords, cross-site request forgery (CSRF), arbitrary code execution, authentication bypass, information disclosure, open redirect, user enumeration, and backdoors .

“Attackers can easily obtain default passwords and identify internet-connected target systems. Passwords can be found in p roduct documentation and compiled lists available on the Internet.” reads the advisory p ublished by Applied Risk. “It is p ossible to identify exposed systems using search engines like Shodan, and it is feasible to scan the entire IPv4 internet. Applied Risk has calculated a CVSSv3 score of 9.8 for this vulnerability”

In N ovember, Applied Risk released a proof-of-concept exploit code for the CVE-2019-7256 flaw along with a Metasploit module that exploits a command injection vulnerability in the L inear eMerge E3 Access Controller.

According to a report recently published by SonicWall, hackers are scanning the Internet for NSC Linear eMerge E3 devices to exploit the CVE-2019-7256 flaw. The experts warn that the vulnerability is very easy to exploit, attackers are triggering it via a specially crafted HTTP request that is sent to vulnerable systems.

“ SonicWall Capture Labs Threat Research team observe huge hits on our firewalls that attempt to exploit the command injection vulnerability with the below HTTP request.” reads the advisory published by SonicWall.

“Once the vulnerability is exploited successfully on the target, the following shell commands will be executed on the target system:

The above shell commands are used to download the malware and execute it on the exploited systems.”

Threat actors are compromising the access control systems using the CVE-2019-7256 flaw and install a DDoS bot, the malicious activity was first reported on January 9 by Bad Packets.

CVE-2019-7256 is actively being exploited by DDoS botnet operators.



This unauthenticated remote command injection vulnerability affects Linear eMerge E3 access control systems running firmware versions 1.00-06 and older.https://t.co/5VQbJshH6l#threatintel — Bad Packets Report (@bad_packets) January 10, 2020

“As per Applied Risk’s research report, a total number of 2,375 Internet-accessible eMerge devices are listed by the Shodan search engine; 600 for eMerge50P and 1775 for eMerge E3.” continues SonicWall.

“Attackers seem to be actively targeting these devices as we see tens of thousands of hits every day, targeting over 100 countries with the most [attacks being] observed in U.S. ,”.

The hackers are actively targeting devices exposed online that are located in over 100 countries, most of them in the U.S.

Experts recommend to disconnect the vulnerable NSC L inear eMerge E3 devices from the internet or limiting the access to them.

Pierluigi Paganini