LenelS2 NetBox

Plan PatchCVSS 9.8ICS-CERT ICSA-24-151-01May 30, 2024

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

LenelS2 NetBox versions prior to 5.6.2 contain hardcoded credentials (CWE-259) and command injection vulnerabilities (CWE-78, CWE-88) that allow an attacker to bypass authentication and execute malicious commands with elevated permissions. Successful exploitation could compromise the integrity and availability of physical access control systems.

What this means

What could happen

An attacker could bypass authentication and execute arbitrary commands on the NetBox access control system with elevated privileges, potentially disabling access control enforcement or altering facility entry/exit permissions.

Who's at risk

Building access control systems operators and facility managers. Any organization using LenelS2 NetBox for physical security and access control should prioritize this vulnerability. Affected systems manage entry/exit points and are critical to facility security perimeter operations.

How it could be exploited

An attacker on the network sends a crafted request to the NetBox system that bypasses authentication checks due to hardcoded credentials or command injection flaws, then executes arbitrary system commands with administrative privileges to compromise the system.

Prerequisites

Network access to NetBox system on the configured port
No valid credentials required (authentication bypass vulnerability)

Remotely exploitableNo authentication requiredLow complexity attackCritical CVSS score (9.8)Hardcoded credentials (CWE-259)Command injection (CWE-78)Affects access control systems

Exploitability

Some exploitation risk — EPSS score 1.1%

Affected products (1)

ProductAffected VersionsFix Status

NetBox: <5.6.2<5.6.25.6.2

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict network access to NetBox system - ensure it is not reachable from the internet and is located behind a firewall

WORKAROUNDIf remote access is required, use VPN with current security updates

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade NetBox to version 5.6.2 or later

Long-term hardening

0/2

HARDENINGIsolate NetBox and access control network from the business network

HARDENINGReview and apply NetBox hardening guide recommendations from the built-in help menu

CVEs (3)

CVE-2024-2420 CVE-2024-2421 CVE-2024-2422

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5dcc1d1a-c98d-47b9-81fc-35c123b03ecf

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.