PT-2023-19694 · Gallagher · Gallagher Controller 6000
Kevin Schaller
+1
·
Published
2023-12-18
·
Updated
2024-01-05
·
CVE-2023-24590
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Gallagher Controller 6000 versions 8.50 and prior
Gallagher Controller 6000 versions 8.60 prior to vCR8.60.231116a
Description
A format string issue in the Controller 6000's optional diagnostic web interface can be used to write/read from memory, and in some instances crash the Controller 6000 leading to a Denial of Service.
Recommendations
For Gallagher Controller 6000 versions 8.50 and prior, update to a version later than 8.50.
For Gallagher Controller 6000 versions 8.60 prior to vCR8.60.231116a, update to vCR8.60.231116a or later, which is distributed in 8.60.2550 (MR7).
As a temporary workaround, consider disabling the diagnostic web interface until a patch is available.
Fix
Use of Externally-Controlled Format String
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gallagher Controller 6000