CVE-2024-24972

Name of the Vulnerable Software and Affected Versions Controller 6000 and Controller 7000 versions 8.70 and prior Controller 6000 and Controller 7000 versions 8.80 through 8.80.1938 (MR6) Controller 6000 and Controller 7000 versions 8.90 through 8.90.2155 (MR5) Controller 6000 and Controller 7000 versions 9.00 through 9.00.2168 (MR4) Controller 6000 and Controller 7000 versions 9.10 through 9.10.1530 (MR2)

Description The issue is related to a Buffer Copy without Checking Size of Input in the diagnostic web interface of the Controller 6000 and Controller 7000, allowing an authorized and authenticated operator to reboot the Controller, causing a Denial of Service. The diagnostic web page is not enabled by default and should only be used for diagnostic purposes unless advised by Gallagher Technical support.

Recommendations For Controller 6000 and Controller 7000 versions 8.70 and prior, consider disabling the diagnostic web interface until a patch is available. For Controller 6000 and Controller 7000 versions 8.80 through 8.80.1938 (MR6), update to version 8.80.1938 (MR6) or later. For Controller 6000 and Controller 7000 versions 8.90 through 8.90.2155 (MR5), update to version 8.90.2155 (MR5) or later. For Controller 6000 and Controller 7000 versions 9.00 through 9.00.2168 (MR4), update to version 9.00.2168 (MR4) or later. For Controller 6000 and Controller 7000 versions 9.10 through 9.10.1530 (MR2), update to version 9.10.1530 (MR2) or later. As a temporary workaround, consider disabling the diagnostic web page unless advised by Gallagher Technical support.