• Flaws in Linear eMerge E3 devices by Nortek Security & Control (NSC) are being exploited by DDoS botnet operators.
  • These devices regulate access to employees and visitors for doors and rooms based on their credentials (access codes) or smart cards.

Researchers from a security firm disclosed that hackers are actively exploiting smart building access control systems to launch DDoS attacks.

What happened?

According to researchers from the firewall provider SonicWall, attackers are targeting Linear eMerge E3—a product of Nortek Security & Control (NSC), to access the internet and hijack smart door or building access control systems.

  • Linear eMerge E3 devices are installed in corporate headquarters, factories, or industrial parks.
  • Their key role is to regulate access to employees and visitors for doors and rooms based on their credentials (access codes) or smart cards.

Earlier warning

Researchers from Applied Risk, another cybersecurity firm, had uncovered around ten vulnerabilities impacting NSC’s Linear eMerge E3 devices.

A security advisory by the firm read that six of the ten vulnerabilities had a severity score of 9.8 or 10 out of a maximum of 10. Applied Risk also released the proof-of-concept exploit code in November 2019. NSC is yet to provide security patches, as per the advisory.

The vulnerability in question — CVE-2019-7256

SonicWall researchers said in its report that hackers first scan the internet for exposed NSC Linear eMerge E3 devices and then exploit one of the ten vulnerabilities.

  • The vulnerability in use currently, also dubbed as CVE-2019-7256, is a command injection flaw.
  • CVE-2019-7256 is being exploited actively by DDoS botnet operators.
  • The vulnerability has a severity score of 10/10, meaning it can be exploited remotely, even by a low-skilled attacker.
  • CVE-2019-7256 can be used to take over devices, install malware, and launch DDoS attacks, including on other targets.

In its alert, SonicWall researchers said, "This issue is triggered due to insufficient sanitizing of user-supplied inputs to a PHP function allowing arbitrary command execution with root privileges. A remote unauthenticated attacker can exploit this to execute arbitrary commands within the context of the application, via a crafted HTTP request."

Cyware Publisher