Carrier has issued a critical product security advisory confirming several vulnerabilities in its LenelS2 NetBox access control and event monitoring platform. These vulnerabilities, affecting versions prior to 5.6.2, expose the system to potential remote code execution and unauthorized access, posing serious risks to enterprises, particularly government entities and large businesses. The identified vulnerabilities include a hard-coded password (CVE-2024-2420) with a CVSS score of 9.8, an unauthenticated remote code execution flaw (CVE-2024-2421) with a CVSS score of 9.1, and an authenticated remote code execution issue (CVE-2024-2422) with a CVSS score of 8.8.
The most critical vulnerability, CVE-2024-2420, allows attackers to bypass authentication and gain elevated permissions, enabling them to install programs, modify or delete data, and create new user accounts with full privileges. This threat is particularly concerning for high-security installations, such as government-controlled sites and major corporations, where NetBox is frequently deployed.
Carrier has addressed these vulnerabilities in the latest release, version 5.6.2, and advises all users to upgrade immediately. Customers are also encouraged to follow recommended deployment guidelines detailed in the NetBox hardening guide, accessible through the built-in help menu. The Center for Internet Security (CIS) further recommends applying updates, enforcing the principle of least privilege for user accounts, conducting rigorous vulnerability scans, and isolating critical systems and resources.
While there are no confirmed reports of these vulnerabilities being exploited in the wild, their severity underscores the importance of prompt action to protect against potential attacks. Organizations using LenelS2 NetBox must prioritize updating their systems and enhancing their security measures to safeguard critical infrastructure from these significant threats.
Reference:
