CVE-2024-22383
Severity: Medium CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Components affected: Controller 7000
Version of Command Centre affected: 9.00 prior to vCR9.00.231204b (distributed in 9.00.1507(MR1)), 8.90 prior to vCR8.90.240209b (distributed in 8.90.1751 (MR3)), 8.80 prior to vCR8.80.240209a (distributed in 8.80.1526 (MR4)), 8.70 prior to vCR8.70.240209a (distributed in 8.70.2526 (MR6)).
Reported by: Gallagher Internal
Active exploitation of vulnerability*: No
Description of vulnerability: Missing release of resource after effective lifetime (CWE-772) in the Controller 7000 resulted in HBUS connected T-Series readers to not automatically recover after coming under attack over the RS-485 interface, resulting in a persistent denial of service.
This issue affects: All variants of the Gallagher Controller 7000 9.00 prior to vCR9.00.231204b (distributed in 9.00.1507(MR1)), 8.90 prior to vCR8.90.240209b (distributed in 8.90.1751 (MR3)), 8.80 prior to vCR8.80.240209a (distributed in 8.80.1526 (MR4)), 8.70 prior to vCR8.70.240209a (distributed in 8.70.2526 (MR6)).
Mitigation: Only sites with Controller 7000 or Controller 7000 SDC (Single Door Controller) are affected. To exploit this an attacker would need access to the HBUS cabling, ensure HBUS cables are suitably protected.
Maintenance releases are now available for:
- ·v9.00 - v9.00.1774 (MR2)
- ·v8.90 - v8.90.1751 (MR3)
- ·v8.80 - v8.80.1526 (MR4)
- ·v8.70 - v8.70.2526 (MR6)
Important notes:
*This indicates whether Gallagher are aware of this being actively exploited against customer sites at the time of publication.
Stay up to date with Gallagher
Get the latest Gallagher news, updates, and event information delivered straight to your inbox.