Multiple Vulnerabilities Reported in LenelS2 NetBox Entry Tracking and Event Monitoring Tool
31 May 2024 at 14:59
Carrier has issued a serious product security advisory confirming the existence of several vulnerabilities in its LenelS2 NetBox access control and event monitoring platform. These vulnerabilities expose the monitoring system to potential compromise, such as remote code execution.
The reported vulnerabilities are significant, as NetBox is often used to guard entries at critical facilities such as government-controlled sites and major corporations.
Multiple Vulnerabilities in Carrier's LenelS2 NetBox
Three vulnerabilities were identified in Carrier's product security advisory for NetBox. The most critical (CVE-2024-2420) of these vulnerabilities could potentially enable an attacker to circumvent authentication requirements and obtain elevated permissions, presenting a serious risk to enterprises which deploy the tool. [caption id="attachment_73894" align="alignnone" width="1478"] Source: Carrier Product Security Advisory[/caption] Successful compromise could allow an attacker to install programs, view, edit, modify data, delete data from the platform or create new user accounts with full privileges. However, this depends on the access level of accounts that had been compromised in the event of an attack. The impact of a potential attack could be lower on systems configured with low level of user access. The vulnerabilities affect all LenelS2 NetBox versions prior to 5.6.2. The identified vulnerabilities are as follows:- CVE-2024-2420 (CVSS v3.1 Base Score 9.8, Critical): A vulnerability involving a hard-coded password in the system that could permit an attacker to bypass authentication requirements.
- CVE-2024-2421 (CVSS v3.1 Base Score 9.1, Critical): An unauthenticated remote code execution vulnerability that could permit an attacker with elevated permissions to run malicious commands
- CVE-2024-2422 (CVSS v3.1 Base Score 8.8, High): An authenticated remote code execution vulnerability that could permit an attacker to execute malicious commands.