CVE-2024-22383

Severity: Medium CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Components affected: Controller 7000

Version of Command Centre affected: 9.00 prior to vCR9.00.231204b (distributed in 9.00.1507(MR1)), 8.90 prior to vCR8.90.240209b (distributed in 8.90.1751 (MR3)), 8.80 prior to vCR8.80.240209a (distributed in 8.80.1526 (MR4)), 8.70 prior to vCR8.70.240209a (distributed in 8.70.2526 (MR6)).

Reported by: Gallagher Internal

Active exploitation of vulnerability*: No

Description of vulnerability: Missing release of resource after effective lifetime (CWE-772) in the Controller 7000 resulted in HBUS connected T-Series readers to not automatically recover after coming under attack over the RS-485 interface, resulting in a persistent denial of service. 

This issue affects: All variants of the Gallagher Controller 7000 9.00 prior to vCR9.00.231204b (distributed in 9.00.1507(MR1)), 8.90 prior to vCR8.90.240209b (distributed in 8.90.1751 (MR3)), 8.80 prior to vCR8.80.240209a (distributed in 8.80.1526 (MR4)), 8.70 prior to vCR8.70.240209a (distributed in 8.70.2526 (MR6)).

Mitigation: Only sites with Controller 7000 or Controller 7000 SDC (Single Door Controller) are affected. To exploit this an attacker would need access to the HBUS cabling, ensure HBUS cables are suitably protected. 

Maintenance releases are now available for:

• ·v9.00 - v9.00.1774 (MR2)
• ·v8.90 - v8.90.1751 (MR3)
• ·v8.80 - v8.80.1526 (MR4)
• ·v8.70 - v8.70.2526 (MR6)
  
  

Important notes:

*This indicates whether Gallagher are aware of this being actively exploited against customer sites at the time of publication.