CVE-2022-31483 in LP1501
Summary
by MITRE • 06/06/2022
An authenticated attacker can upload a file with a filename including “..” and “/” to achieve the ability to upload the desired file anywhere on the filesystem. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.271. This allows a malicious actor to overwrite sensitive system files and install a startup service to gain remote access to the underlaying Linux operating system with root privileges.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/08/2022
This vulnerability represents a critical directory traversal flaw that enables authenticated attackers to bypass file upload restrictions and gain arbitrary file system access on embedded Linux devices. The vulnerability stems from inadequate input validation in the file upload functionality of HID Mercury Intelligent Controllers, specifically affecting models LP1501, LP1502, LP2500, LP4502, and EP4502. When an attacker crafts a filename containing directory traversal sequences such as ".." and "/", the system fails to properly sanitize these inputs, allowing the malicious actor to manipulate the file destination path and write files to arbitrary locations on the filesystem. This flaw directly maps to CWE-22 - Improper Limitation of a Pathname to a Restricted Directory, a well-documented weakness that frequently leads to privilege escalation and system compromise. The vulnerability operates at the application layer and requires authentication, making it less immediately exploitable than unauthenticated flaws, but still poses significant risk given the privileged access it enables.
The operational impact of this vulnerability extends far beyond simple file upload manipulation, as it provides attackers with complete control over the underlying Linux operating system. Once an attacker successfully exploits this vulnerability, they can overwrite critical system files, modify configuration parameters, and install persistent backdoors or startup services that maintain access even after system reboots. This capability allows for privilege escalation to root level access, effectively compromising the entire device and potentially enabling lateral movement within network environments where these controllers are deployed. The vulnerability's exploitation directly aligns with ATT&CK technique T1059 - Command and Scripting Interpreter and T1543 - Create or Modify System Process, as attackers can leverage the compromised system to establish persistent access and execute malicious commands with the highest possible privileges. The affected devices typically operate in industrial control environments where maintaining system integrity and security is paramount, making this vulnerability particularly dangerous for critical infrastructure deployments.
The security implications of CVE-2022-31483 extend to both confidentiality and integrity aspects of system security, as attackers can not only read sensitive system files but also modify or replace them with malicious counterparts. The vulnerability affects firmware versions prior to 1.271, indicating that vendors had identified and addressed this issue in their security updates. Organizations deploying these HID Mercury controllers must immediately assess their network exposure and implement mitigation strategies including firmware updates, network segmentation, and access control restrictions. The vulnerability demonstrates the importance of proper input validation and the principle of least privilege in embedded system design, where authentication should not be the sole security mechanism protecting against path traversal attacks. Additionally, the flaw highlights the critical need for regular security assessments and patch management processes in industrial environments where legacy systems may remain operational for extended periods without proper security updates. Network monitoring should be enhanced to detect unusual file upload patterns or attempts to access system directories, as these activities may indicate exploitation attempts.