LenelS2 has an update available to handle use of hard-coded password, OS command injection and argument injection vulnerabilities in its NetBox, according to a report with CISA.

Successful exploitation of these remotely exploitable vulnerabilities, discovered by Noam Moshe of Claroty Team82, could allow an attacker to bypass authentication and execute malicious commands with elevated permissions

The following products of LenelS2, a Carrier Brand, suffer from the vulnerabilities: NetBox, all versions prior to 5.6.2.

In one issue, LenelS2 NetBox access control and event monitoring system contains hard-coded credentials in versions prior to and including 5.6.1, which allows an attacker to bypass authentication requirements.

CVE-2024-2420 is the case number for this vulnerability, which has a CVSS v3.1 base score of 9.8. There is also a CVSS v4 base score of 9.3.

Schneider Bold

In addition, LenelS2 NetBox access control and event monitoring system was discovered to contain an unauthenticated remote code execution in versions prior to and including 5.6.1, which allows an attacker to execute malicious commands with elevated permissions.

CVE-2024-2421 is the case number for this vulnerability, which has a CVSS v3.1 base score of 9.1. There is also a CVSS v4 base score of 9.3.

Also, LenelS2 NetBox access control and event monitoring system contains an authenticated remote code execution in versions prior to and including 5.6.1, which allows an attacker to execute malicious commands.

CVE-2024-2422 is the case number for this vulnerability, which has a CVSS v3.1 base score of 8.8. There is also a CVSS v4 base score of 8.7.

The product sees use mainly in the commercial facilities sector, and on a global basis.

No known exploits target these vulnerabilities. However, an attacker could easily leverage these vulnerabilities.

Users should upgrade to NetBox release 5.6.2, which mitigated the vulnerabilities. For users to upgrade to NetBox release 5.6.2, contact their authorized installer.

Users should follow recommended deployment guidelines found in the NetBox hardening guide found in the NetBox built-in help menu.

For more information, click on Carrier’s security bulletin for LenelS2.

ISSSource

Pin It on Pinterest

Share This