Carrier fixes flaws in LenelS2 NetBox access control/event monitoring system
Take action: If you are using Carrier NetBox, update it ASAP, since the hardcoded password flaw is immediately exploitable.
Learn More
Carrier has issued an advisory about several vulnerabilities in its LenelS2 NetBox access control and event monitoring platform.
Carrier identified three key vulnerabilities that affect all versions of LenelS2 NetBox prior to 5.6.2.
- CVE-2024-2420 (CVSS score 9.8) a hard-coded password that could enable attackers to bypass authentication requirements and obtain elevated permissions.
- CVE-2024-2421 (CVSS score 9.1) an unauthenticated remote code execution vulnerability that could allow attackers with elevated permissions to execute malicious commands.
- CVE-2024-2422 (CVSS score 8.8) an authenticated remote code execution vulnerability that could allow attackers to execute malicious commands.
The Center for Internet Security (CIS) has stated that these vulnerabilities pose higher risks to large and medium-sized government or business entities while posing lower risks to small businesses and individual homeowners.
Carrier has addressed these vulnerabilities in the latest release, NetBox version 5.6.2. Customers are advised to upgrade to this version immediately by contacting their authorized NetBox installer. Additionally, Carrier recommends following deployment guidelines outlined in the NetBox hardening guide, accessible via NetBox’s built-in help menu.
