bluebay2014 - Fotolia
ICS-CERT issued a security advisory for a vulnerability in Nortek Linear eMerge E3. What does this product do? What does the vulnerability allow attackers to do, and how should customers address it?
Nortek Security and Control LLC's Linear eMerge E3 is an access control interface that specifies which doors a person can use to enter and exit designated places at specified times. All three versions run on embedded Linux Operating System and can be managed from a web-based monitor or a mobile phone.
Software features for the Elite and Essential versions include a dashboard -- from which video can run -- and graphic floor plans. The SQL database engine is used in all versions to collect data from the control interface; however, Distributed Redundant Database architecture is only in the Elite version.
The vulnerability found in the Nortek Linear eMerge E3 points to the command injection in versions VO 32-07e and prior. This means that a remote attacker with elevated privileges could successfully execute malicious code and take over the server. To mitigate the risk of this vulnerability, the affected customers should upgrade the firmware as specified in Nortek's E3 User Programming Guide on page 47.
According to recommendations from the U.S. Department of Homeland Security's National Cybersecurity and Communications Integration Center, customers should:
- ensure network exposure is minimized for all control system devices and cannot be accessible from the internet;
- locate firewall ports used for control system networks and remote devices and segment them from the business network; and
- use virtual private networks for remote access and ensure they are updated to the current version.
Furthermore, customers should perform an impact analysis and risk assessment on remote devices in control system networks, as assets, vulnerabilities and risks need to be identified before cost-effective countermeasures can be determined.
ICS-CERT published a research paper in 2016 title "Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies" and it can be applied to Nortek access control systems as the topics include risk management, asset inventory, physical security, host security and security monitoring.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Database security
Related Q&A from Judith Myerson
An exploit code for Dirty COW was accidentally shipped by Cisco with product software. Learn how this code ended up in a software release and what ... Continue Reading
Cisco's Webex Meetings platform had to be re-patched after researchers found the first one was failing. Discover what went wrong with the first patch... Continue Reading
The TP-Link EAP Controller for Linux was recently found to be vulnerable to attacks. Learn from Judith Myerson what this means for users and how it ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.