How are Linear eMerge E3 systems vulnerable to attacks?

ICS-CERT issued a security advisory for a vulnerability in Nortek Linear eMerge E3. What does this product do? What does the vulnerability allow attackers to do, and how should customers address it?

Nortek Security and Control LLC's Linear eMerge E3 is an access control interface that specifies which doors a person can use to enter and exit designated places at specified times. All three versions run on embedded Linux Operating System and can be managed from a web-based monitor or a mobile phone.

Software features for the Elite and Essential versions include a dashboard -- from which video can run -- and graphic floor plans. The SQL database engine is used in all versions to collect data from the control interface; however, Distributed Redundant Database architecture is only in the Elite version.

The vulnerability found in the Nortek Linear eMerge E3 points to the command injection in versions VO 32-07e and prior. This means that a remote attacker with elevated privileges could successfully execute malicious code and take over the server. To mitigate the risk of this vulnerability, the affected customers should upgrade the firmware as specified in Nortek's E3 User Programming Guide on page 47.

According to recommendations from the U.S. Department of Homeland Security's National Cybersecurity and Communications Integration Center, customers should:

• ensure network exposure is minimized for all control system devices and cannot be accessible from the internet;
• locate firewall ports used for control system networks and remote devices and segment them from the business network; and
• use virtual private networks for remote access and ensure they are updated to the current version.

Furthermore, customers should perform an impact analysis and risk assessment on remote devices in control system networks, as assets, vulnerabilities and risks need to be identified before cost-effective countermeasures can be determined.

ICS-CERT published a research paper in 2016 title "Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies" and it can be applied to Nortek access control systems as the topics include risk management, asset inventory, physical security, host security and security monitoring.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)